Jump to content

[SOLVED] Advice

Andy-H

By Andy-H
in PHP Coding Help

 Share

Recommended Posts

Andy-H Advanced Member

Andy-H

Posted
Posted

I was just wondering if it had any effects on the performance of a script if you check postdata before storing it into a variable.

 

I.E

 

Would

 

if ( empty($_POST['script']) ){
	$err = 'Please enter the scriptcheck in the corresponding input box.';
}else{

$script = md5(intval($_POST['script']));

Be slower than

$script = $_POST['script'];

if ( empty($script) ){
	$err = 'Please enter the scriptcheck in the corresponding input box.';
}else{

$script = md5(intval($script));

 

Thanks in advance for answers.

Link to comment
Share on other sites
wildteen88 Regular Member

wildteen88

Posted
Posted

Not really, the difference will be very slight. However before using user defined variables (_GET, _POST, _COOKIE etc) you should check to see if they exist first, eg

 

if(isset($_POST['var']))
{
   $var = $_POST['var'];

   // continue
}

 

Doing the following is not the same

if($_POST['var'])
{
   $var = $_POST['var'];

   // continue
}

// nor is

$var = $_POST['var'];
if(isset($var))
{
   // continue
}

Link to comment
Share on other sites
Mchl Regular Member

Mchl

Posted
Posted

It will use one less variable... oops sorry... not in your example. So no memory gain.

Well then. One less assignment instruction, that's some small amount of time less in execution time (and I mean really small amount of time).

Link to comment
Share on other sites
Andy-H Advanced Member

Andy-H

Posted
  • Author
Posted

Basically what I mean is is it more efficient to store the value of the postdata in a variable before checking the input rather than making numerous calls to the $_POST superglobal. I know the difference in performance is barely noticable but every little helps.

Link to comment
Share on other sites
DjMikeS Member

DjMikeS

Posted
Posted

If I may:

 

if($_POST['var'])
{
   $var = $_POST['var'];

   // continue
}

// nor is

$var = $_POST['var'];
if(isset($var))
{
   // continue
}

 

Is indeed not a good method of checking whether a variable exists or not because:

 

Method 1 only checks if a variable is set to TRUE or FALSE. If the var is not set at all, this would produce the "Undefined variable on line yada yada"  message.

 

Method 2 would take the contents of $_POST['variable'] and store them in $var. Again, if the var is not set at all, this would produce the same aforementioned error.

 

if (isset($_POST['variable'])) {
 //do thingy
}
else {
}

That's the only way to fly...

Link to comment
Share on other sites
DjMikeS Member

DjMikeS

Posted
Posted

Basically what I mean is is it more efficient to store the value of the postdata in a variable before checking the input rather than making numerous calls to the $_POST superglobal. I know the difference in performance is barely noticable but every little helps.

 

Andy, this is basically up to you. If you need to do some data cleansing ( before querying sql for example ) you best put it in a variable.

 

Also, some coders like to assign the value's to variables for overall tidiness.

For example, I always use three letters to identify the type of variable:

 

<?php
if (isset($_POST['variable'])) {
 $strVariable = $_POST['variable'];
}
else {
 echo "The variable wasn't set!";
}
?>

In the example I named the var "$strVariable" where str stands for "string".

Other examples:

arr stands for array

int stands for integer

 

And so on...

 

As for performance...I think it's barely noticeable, if at all...

Link to comment
Share on other sites
wildteen88 Regular Member

wildteen88

Posted
Posted

EDIT: Damn my ISP!

 

The problem with people using isset() is that don't understand how it works, Most think it works the same as empty() which is not true. Both do two completely different actions.

 

isset -  checks to see whether a variable is actually defined. It does not check to see if the variable has a value.

empty - on the other hand does the opposite. As it assumes the variable does in fact exist and checks that the variable doesn't have a value.

 

So lets go in to the scenarios I posted above. The following is the correct way:

if(isset($_POST['var']))
{
   $var = $_POST['var'];

   // continue
}

Here we use isset, which tells PHP does the variable $_POST['var'] actually exist? If it does assign the variable $var the value of $_POST['var']; PHP now knows what to do here. No issues there.

 

Where as if($_POST['var']) or if(empty($_POST['var'])) tells PHP does $_POST['var'] have some form of value. If it does assign $var the value of $_POST['var']; There is one important step missing here, which is to see if the variable exists first.

 

Think of the above in a real-life situation. You live on your own and you're going out. Before going out you'll check you've got your house key on you so you can lock the door when you leave. You're not going to walk straight out the door and try to look the door with no key!

Link to comment
Share on other sites
Andy-H Advanced Member

Andy-H

Posted
  • Author
Posted

Ty Mike.

 

I have another question lol

 

if ( !isset($_POST['login']) ){
	$err = 'Please enter your desired login name.';
}else{

if ( !ctype_alnum($_POST['login']) ){
	$err = 'Login name can only contain alphanumeric characters.';
}else{

$login = $_POST['login'];

 

Would it be un-neccessary to use mysql_real_escape_string() on the $_POST['login'] now that I know it only contains A-Za-z0-9? I assume it would be, but my assumptions aren't always best trusted lol

 

Thanks again for the answer Mike, I am going to put this into practice as my VB.NET tutor told us to do that at college but I was already set in my ways with PHP and never thaught to apply it lol

 

lol LemonInflux, so do mine :P

Link to comment
Share on other sites
DjMikeS Member

DjMikeS

Posted
Posted

Well Andy, you can use ctype_alnum, but the downside of that is, that it doesn't accept characters like an underscore, which is pretty common in usernames...

 

I always do:

<?php
if (isset($_POST['username'])) {
 $strUName = mysql_escape_string($_POST['username']);
}
else {
 echo "You really should do your best to supply a username!";
}
?>

Link to comment
Share on other sites
wildteen88 Regular Member

wildteen88

Posted
Posted

What's interesting, is that empty($var) evaluates to true even if isset($var) is false. That's why empty() shouldn't be used here.

Because they both do two completely different things.

 

The problem with people using isset() is that don't understand how it works, Most think it works the same as empty() which is not true. Both do two completely different actions.

 

isset -  checks to see whether a variable is actually defined. It does not check to see if the variable has a value.

empty - on the other hand does the opposite. As it assumes the variable does in fact exist and checks that the variable doesn't have a value.

My post got delayed as the page just kept loading and loading. I get this sometimes with my ISP.

Link to comment
Share on other sites
Andy-H Advanced Member

Andy-H

Posted
  • Author
Posted

I use login name, display name, password, so that all the users login data can be encrypted using md5(), And I figured if I allow users to use any character in their login name I will get retards forgetting their details and complaining that they cant remember it. And obviously I cant use a resend login details with encrypted data.

Link to comment
Share on other sites
DjMikeS Member

DjMikeS

Posted
Posted

I use login name, display name, password, so that all the users login data can be encrypted using md5(), And I figured if I allow users to use any character in their login name I will get retards forgetting their details and complaining that they cant remember it. And obviously I cant use a resend login details with encrypted data.

Why store the username encrypted? I only encrypt the password...

And resending the password is impossible, but resetting not...

 

You could use the random function to generate a password, mail it to the user, then encrypt it using MD5() or SHA1() and then set that in the database...

Link to comment
Share on other sites
DjMikeS Member

DjMikeS

Posted
Posted

For your convenience, I included a sample code I actually use...

 

<?php
function PasswordNew() {
makeRandomCode();

$password = makeRandomCode();
$md5password = md5($password);

$reset = mysql_query ("UPDATE users SET password= '$md5password' WHERE username= '{$_POST['username']}' AND emailaddress= '{$_POST['emailaddress']}'") or die(mysql_error());			
$subject = "Password reset for www.domain.nl";
$message = "yada yada yada";

       $headers  = "MIME-Version: 1.0\r\n";
$headers .= "Content-type: text/html; charset=iso-8859-1\r\n";
$headers .= "To: {$_POST['username']}<{$_POST['emailaddress']}>\r\n";
$headers .= "From: Domain.nl <no_reply@domain.nl>\r\n";

mail( ($_POST['emailaddress']), $subject, $message, $headers);
}

//then the function to make the random code...:

function makeRandomCode() {
 			$salt = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
 			srand((double)microtime()*10000000); 
 			$i = 0;
		$pass = "";
			while ($i < 6) {
			$num = rand() % 50;
   		$tmp = substr($salt, $num, 1);
   		$pass = $pass . $tmp;
   		$i++;
			}
 		return $pass;
}
?>

 

The randomcode function is very old and I should review the code because I can do it far simpler I think but what the hell....If it ain't broken ;)

 

That should give you a "rough" idea of where to go ;)

Link to comment
Share on other sites
Andy-H Advanced Member

Andy-H

Posted
  • Author
Posted

Ty Mike.

 

I have another question lol

 

if ( !isset($_POST['login']) ){
	$err = 'Please enter your desired login name.';
}else{

if ( !ctype_alnum($_POST['login']) ){
	$err = 'Login name can only contain alphanumeric characters.';
}else{

$login = $_POST['login'];

 

Would it be un-neccessary to use mysql_real_escape_string() on the $_POST['login'] now that I know it only contains A-Za-z0-9? I assume it would be, but my assumptions aren't always best trusted lol

 

 

Any comments on that one?

 

Thanks again Mike, I already have basically the same function lol Mine doesnt like hotmail tho so I think that will be usefull :P

 

Also, I always wondered what the use of:

 

srand((double)microtime()*10000000);

 

Was?

Link to comment
Share on other sites
DjMikeS Member

DjMikeS

Posted
Posted

Well Andy, you can use ctype_alnum, but the downside of that is, that it doesn't accept characters like an underscore, which is pretty common in usernames...

 

I always do:

<?php
if (isset($_POST['username'])) {
 $strUName = mysql_escape_string($_POST['username']);
}
else {
 echo "You really should do your best to supply a username!";
}
?>

 

My bad...

Since you already know that the username contains only letters or numbers it *should* be unnecessary to escape it...but it wouldn't hurt, would it? ;)

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.