ChenXiu Posted June 18, 2021 Share Posted June 18, 2021 (edited) Which is better? if(!isset($_SESSION['user'])) { exit; } if($_SESSION['user'] !== 'SiteOwner') { exit; } - or - if(!isset($_SESSION['user'])) { exit; } else { if($_SESSION['user'] !== 'SiteOwner') { exit; } } Is the "if else" version more secure? Basically, if nobody's logged in, exit immediately. But if somebody's logged in, make extra sure it's the Site Owner. p.s. I know that " if( !isset($_SESSION['user'] || ($_SESSION['user'] !== 'SiteOwner')) { exit; } " works, but I want to keep the code flexible for adding other types of users in the future. Thank you. Edited June 18, 2021 by ChenXiu Quote Link to comment https://forums.phpfreaks.com/topic/312941-bad-way-is-else-more-secure/ Share on other sites More sharing options...
gw1500se Posted June 18, 2021 Share Posted June 18, 2021 if(!isset($_SESSION['user']) || $_SESSION['user'] !== 'SiteOwner') { exit; } 1 Quote Link to comment https://forums.phpfreaks.com/topic/312941-bad-way-is-else-more-secure/#findComment-1587353 Share on other sites More sharing options...
Solution Phi11W Posted June 18, 2021 Solution Share Posted June 18, 2021 Over the lifetime of this (or any other) Application, you will spend far more time reading its code than you will writing any of it so go for whichever form expresses your intention most clearly. Personally, I'd go with the former or, perhaps, an even more concise one: if ( ! isset( $_SESSION['user'] ) ) exit ; if ( 'SiteOwner' !== $_SESSION['user'] ) exit ; I'm not sure of the context in which this runs - perhaps a redirect to another page might be more appropriate than the "exit"? YMMV. Regards, Phill W. 1 Quote Link to comment https://forums.phpfreaks.com/topic/312941-bad-way-is-else-more-secure/#findComment-1587354 Share on other sites More sharing options...
cyberRobot Posted June 18, 2021 Share Posted June 18, 2021 (edited) 2 hours ago, ChenXiu said: Is the "if else" version more secure? Either way works. Once the exit language construct executes, the script stops. It won't do anything with that next if construct when the "user" SESSION variable isn't set. So using else, in this case, is unnecessary. More information about how exit works can be found here:https://www.php.net/manual/en/function.exit.php With that said, if using "else" makes more sense to you...you might consider "elseif" if(!isset($_SESSION['user'])) { exit; } elseif($_SESSION['user'] !== 'SiteOwner') { exit; } And when you get to the stage of blocking multiple user types, you could potentially do something like this: if(!isset($_SESSION['user'])) { exit; } elseif(in_array($_SESSION['user'], array('SiteOwner', 'SiteAdmin'))) { exit; } Note that the above code is untested. Edited June 18, 2021 by cyberRobot Added examples Quote Link to comment https://forums.phpfreaks.com/topic/312941-bad-way-is-else-more-secure/#findComment-1587358 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.