End Your If

The flaws of using isset()

By Jamie
In PHP
April 8, 2009
2 Min read
22 comments
T

I am starting to really dislike the PHP function isset().  Today, I was working on a registration system in CakePHP and my password validation was not working.  If I left the password field blank and clicked submit, it would come back with other errors, but then the password would come back populated with a long string – a hashed version of an empty string!

After some investigation, I discovered that the AuthComponent in CakePHP was doing an isset() check on the username and password fields.  If isset() returned true for both, it would hash the password.

After a quick investigation, it was clear that isset() was returning true when my password field was empty!  The weird part is, I think this is specific to a PHP version.  I’m not 100% positive on this, but at work we develop locally and then commit our work through SVN to our development server.  Up until recently we had a versioning difference, yes I know this is a bad idea, and I’m sure I’ve seen code using isset() work in one instance and not in the other!

I would love if someone would confirm or deny this fact.

Regardless, this is clearly unacceptable.  My field is empty, isset() should not be returning true.  My solution is to ALWAYS use !empty().  Don’t forget the “!” to negate it because empty() returns true when it’s empty!

If you read PHP’s documentation, there are still a couple of scenarios when using isset() is needed over empty().  The only real scenario that I use it often is that I expect zero (0) as a valid result.  Using !empty(0) will return false, where isset(0) will return true.

Conclusion, save yourself the headaches caused by isset() and use empty() or if you are dealing with arrays, array_key_exists().

Other useful articles

About the author

Jamie
View all posts
  • http://milesj.me/ Miles J

    I never use isset(), simple because what you describe. I would always get random events using isset(). And like you said !empty() is the way to go.

    Also if I know ill be using numbers or boolean, I do the following:

    $number > 0
    $value === true

  • saintberry

    “Regardless, this is clearly unacceptable. My field is empty, isset() should not be returning true”

    This is incorrect. isset() checks to see if a variable or array key or object or whatever is defined. It does not care if the variable is empty or not – that’s exactly what empty() is for.

    The problem you are experiencing is with CakePHP and really, it’s not a problem it’s just the way it operates. If you have a field in a form it will always be set when posted back to a controller. isset($this->data[‘Model’][‘field’]) will always return true, regardless if the field was populated or not.

    When dealing with password fields and the Auth component it is better in my opinion not to use a field name ‘password’ in your form. Instead call it something like ‘password_new’ – do whatever validation you need on that field (how are you going to be able to validate a hash that the Auth component spits out), unset it on error (so that it is never rendered directly in the form), and then in a model beforeSave() use the following to populate the actual password field of the database:

    if(!empty($this->data[‘User’][‘password_new’])) {
    $this->data[‘User’][‘password’] = AuthComponent::password($this->data[‘User’][‘password_new’]);
    }

    Hope this helps!

  • http://www.mikebernat.com Mike

    “After a quick investigation, it was clear that isset() was returning true when my password field was empty!”

    The problem and solution in the same sentence 🙂

    Read this and you’ll see how both functions differ and how both serve a specific purpose.
    http://us3.php.net/manual/en/types.comparisons.php

    I agree, however, that most developers start out thinking isset() acts like empty().

  • Xr

    Oh come on. At worst, this is a bug in Cake, not PHP itself. isset() is perfect as it is and, as you said, empty() is better in some cases. If the functions did the same thing, one would have no use.

    Don’t stop using isset() just because it can lead to bugs if you program carelessly.

  • mscdex

    When using empty() on user input, be aware that of one of the values empty() considers to be “empty”, is the string “0”.

  • http://dsi.vozibrale.com/ dr. Hannibal Lecter

    Uh…what?

    Although I agree that auth should not hash the empty password, it doesn’t mean isset() was misplaced. I think it would be much better if the condition was isset() && !empty(), but then – as mscdex said – you’d run into problems with users who try to enter “0” as their password.

    Anyway, in this scenario, isset() did what it’s supposed to do, and your solution to *always* use !empty() is just wrong because those two don’t serve the same purpose.

  • http://www.flyff-penya.com flyff money

    Great article. Thanks for the great resource.

  • http://www.lowxx.com wow gold

    Excellent tips .I really appreciate all these points, and I agree completely…

  • http://www.ibay24.com metin2 yang

    Sounds interesting. Thanks

  • http://ellcom.net Elliot Adderton

    You could try something like:

    !isset($username[0])

    or

    empty($username)

    and another useful function when building input systems is to use the trim function which will let you remove blank characters at the start and end of a string variable. Like so:

    print trim(‘ jd ssd ‘); // will output “jd ssd”

    Hope this helps 🙂

  • http://www.ebaykicks.com nike shoes

    When dealing with password fields and the Auth component it is better in my opinion not to use a field name ‘password’ in your form. Instead call it something like ‘password_new’ – do whatever validation you need on that field (how are you going to be able to validate a hash that the Auth component spits out), unset it on error (so that it is never rendered directly in the form), and then in a model beforeSave() use the following to populate the actual password field of the database:

  • http://www.vibramfivefingeroutlet.com/ vibram five fingers

    If the functions did the same thing, one would have no use.

  • Pingback: this

  • Pingback: skin tag removers

  • Pingback: online virus removal

  • Pingback: Goozle Zone

  • Pingback: Ania Antonette Quisumbing

  • Pingback: bad credit loans

  • Pingback: cuban guayabera shirts

  • Pingback: buy songs online download

  • Pingback: www.onebuckresume.com

  • Pingback: ultimate power profits

Read more

By Jamie April 8, 2009
22 comments
End Your If

My Books