If a checkbox is not checked then nothing at all is posted-back: the post value will not be set (or even exist).
POST data are strings (or arrays of strings), unless you do some conversion to a number, etc., so you should compare against '1'.
PHP Code:
if (isset($_POST['selectAll']) && !empty($_POST['selectAll']) && $_POST['selectAll'] == '1') {
Most people tend to omit the second of these tests. But we can now do:
PHP Code:
if ($_POST['selectAll'] && $_POST['selectAll'] == '1') {
where the first expressions says, effectively, "it exists and has a value"; that is, a value other than a falsy-value.
__________________
"I'm here to save your life. But if I'm going to do that, I'll need total uninanonynymity." Me Myself & Irene.
Validate your HTML and CSS
if (isset($_POST['selectAll']) && !empty($_POST['selectAll']) && $_POST['selectAll'] == '1') {
Most people tend to omit the second of these tests.
I don't follow the logic here.
If something is "set" then it surely cannot be "empty"?!
Quote:
But we can now do:
PHP Code:
if ($_POST['selectAll'] && $_POST['selectAll'] == '1') {
where the first expressions says, effectively, "it exists and has a value"; that is, a value other than a falsy-value.
Okay, but that is basically the same as my original post...
If $_POST['selectAll'] == 1, then it surely is not "empty" as in my OP, and it also surely has a value as in your suggestion above, right?
So what value does having either !empty($_POST['selectAll']) or $_POST['selectAll'] really provide?
(In cases where you are dealing with Form values, I think all of this applies much better, but for a Check-Box in a Form which is basically binary, I don't think you need as much rigour...)
"" (an empty string)
0 (0 as an integer)
0.0 (0 as a float)
"0" (0 as a string)
NULL
FALSE
array() (an empty array)
$var; (a variable declared, but without a value)
Quote:
for a Check-Box in a Form which is basically binary, I don't think you need as much rigour...
PHP doesn't know it is a checkbox - it is just a value to PHP, and can be hijacked to embed a malicious script in its value.
All $_POST data are initially supposed to be (according to the docs) strings. I understand that comparing to 1 rather than '1' will likely work. Personally, I won't make this assumption and I specifically cast to a number if appropriate.
__________________
"I'm here to save your life. But if I'm going to do that, I'll need total uninanonynymity." Me Myself & Irene.
Validate your HTML and CSS
I always quote attributes and the closing back-slash / is not required in HTML5.
__________________
"I'm here to save your life. But if I'm going to do that, I'll need total uninanonynymity." Me Myself & Irene.
Validate your HTML and CSS
I do, but sometimes I get things mixed up. (I didn't realize that something could be "set" and be "empty"...)
Quote:
PHP doesn't know it is a checkbox - it is just a value to PHP, and can be hijacked to embed a malicious script in its value.
But in this code, I don't see how checking for a value other than '1' or empty really adds any value...
PHP Code:
if ($_POST['selectAll'] == 1){
// All Messages Selected.
$updateMsgArray = $_POST['msgArray'];
}elseif ($_POST['selectedMsgArray']){
// Some Messages Selected.
$updateMsgArray = $_POST['selectedMsgArray'];
}else{
// No Messages Selected.
$error = 'Please choose a Message(s) to update.';
}
I think this particular code is pretty tight and covers all cases where a hacker hacked my Form submission, right?
But in other situations, I think your extra checks make more sense.
Quote:
All $_POST data are initially supposed to be (according to the docs) strings. I understand that comparing to 1 rather than '1' will likely work. Personally, I won't make this assumption and I specifically cast to a number if appropriate.
Where do you cast?
Do you have to do that in the PHP that handles the Form *after* it is submitted?
The main thing is to check, and sanitise, post-data (in an appropriate way) and never make assumptions about the type of value you have been sent.
Once I've checked and sanitised the post data I move them into standard $variables. I know that they are now clean and I will drop any references to $_POST for the rest of the code.
Of course, the burden is reduced when using prepared statements, but we still want to prevent errors on the page. Errors that might occur if we assume that the value is of a certain type, or, similarly, if we try to INSERT a wrong value-type into our database.
__________________
"I'm here to save your life. But if I'm going to do that, I'll need total uninanonynymity." Me Myself & Irene.
Validate your HTML and CSS
The main thing is to check, and sanitise, post-data (in an appropriate way) and never make assumptions about the type of value you have been sent.
Once I've checked and sanitised the post data I move them into standard $variables. I know that they are now clean and I will drop any references to $_POST for the rest of the code.
Of course, the burden is reduced when using prepared statements, but we still want to prevent errors on the page. Errors that might occur if we assume that the value is of a certain type, or, similarly, if we try to INSERT a wrong value-type into our database.
Okay, so then I probably need to add something here...
In my Form, a User checks the Private Messages that he/she wants to update, and my Form submits an array like this...
Before you post, read our: 
, I just have my own personal preferences. You asked the question..
