Where should I validate the return value?

[thilakan]

Where should I validate the return value?

• In the function should I validate the value before returning it.
• Or once the value has been returned, should I check it?
• Is it really necessary to validate the return value?

Thank you.

 

 

[CroNiX]

What do you mean by validate? This is a very broad question.

[thilakan]

In a function; I am expecting a return value.

I cannot assume that it will always run successfully.

So I want to check the return value is the one I expected.

Edited August 17, 2014 by thilakan

[CroNiX]

if (your check)
{
  return value;
}

return false; //this will only be returned if the above isn't true

I usually use something like above so I can test if the returned value === false to know if it failed.

[mogosselin]

So, what kind of return value are you talking about? A return value that you manage, something coming from a native function or an external library?

 

Anyway, if it's a function you control and the returned value is something unexpected, you should kill your app as soon as possible.

For example:

<?php
function getUserInfo($userId) {
  $rows = getUserFromDatabase($userId);
  if (sizeof($rows) < 0 or sizeof($rows) >1) {
    // Here we try to get the logged in user information, but we get more than 1 results from the DB or we get 0, which is not normal
    trigger_error('Got 0 or more than 1 row for user info!', E_USER_ERROR);
  }

  return $rows[0];
}
?>

That way, you don't need to check if the value is valid at every points where you call this function.

 

Also, you could raise an Exception and try/catch it if you can gracefully recover from it.

Edited August 17, 2014 by mogosselin

[thilakan]

Thank you for your answers.

1.

mogosselin, As you said that “returned value is something unexpected, you should kill your app”

Are you telling me that I need to check the return value?

2.

Before we return the value we are checking it then returning it.

How is it secure?

[ginerjm]

The security that 'we' as developers are concerned about is 'hacking of input from the client'.  Not from our own processes!  So the whole question of yours is pretty well moot. IMHO - Any output from a function should be validated during the process of that function and that function should return the proper result so the caller doesn't have to handle it.  A simple check on the result of the function call s/b totally sufficient to handle the continuation of your main stream process.

 

if ( !GetSomeInfo($arg1,$arg2,$msg)
  if ($showerrors)
  {
      echo "Error occurred - cannot continue - message is $msg";
      exit();
  }

 

where $showerrors is only true during development.

[thilakan]

Thank you for your answer.

In the learning process of PHP, if I have question it is good to ask and have clear answer. 

 

THANK YOU ALL!  

[mogosselin]

Thank you for your answers.

1.

mogosselin, As you said that “returned value is something unexpected, you should kill your app”

Are you telling me that I need to check the return value?

2.

Before we return the value we are checking it then returning it.

How is it secure?

 

Well, you would need to check the value before you return it if you think it could have a value that it shouldn't return. 

 

For example, if you return the column ID from a database, you probably don't need to check if it's a valid number.

 

But, if you want to return a value of a PHP function directly that could, in some situation, return something unexpected (like NULL, or false, or whatever)... Then yes, I would check the value before returning it.

 

If it's something unexpected, I would then kill my app (with throw new Exception() or trigger_error()) and display a friendly error message to the user (or display an error message in dev mode).