Geek Answers Handbook

Why do large frameworks ignore prerequisite checking?

From what I know, the prerequisite check - good practice. If the method requires an int value, then this is a good solution to use something like this:

public function sum($input1, $input2) { if (!is_int($input1)) throw new Exception('Input must be a integer');

However, looking at the source code Zend / Codeigniter, I do not see very often these checks. Is there a reason for this?

+4
source share
3 answers

Because it is difficult / inefficient to test each variable before using it. Instead, they only check the input variables - check visitors at the door, and not once in the house.

This, of course, a good defensive programming method for testing at least the more important vars before using them, especially if the input comes from many places.

This is a little off topic, but the solution I would recommend is to check the input variables as follows:

 $username=get('username', 'string'); $a=get('a', 'int'); ... , 'string'); $username=get('username', 'string'); $a=get('a', 'int'); ... , 'int'); $username=get('username', 'string'); $a=get('a', 'int'); ...

$ _ REQUEST, and the like should never be used (or even be available) directly.

In addition, when the output HTML, you should always use it:

 echo html($username); // replaces '<' with '&lt;' - uses htmlentities

To avoid SQL injection attacks, you can use MeekroDB, but unfortunately it is very limiting (only MySQL, only one DB ...). It has a nice API that contributes to security, so I would recommend checking it out. For myself, I created a small database library that is based on PDO and uses prepared statements. YMMV.

+3
source

Note these strict prerequisites in any case is not necessary and is not useful for dynamically typed language.

 $sum = sum("1", "2");

Why it should be prohibited? Additionally, if you throw an exception, trying to avoid it. This means that it checks, and cast himself

 function sum ($a, $b) { if (!is_int($a)) throw new Exception('Input must be a integer'); if (!is_int($b)) throw new Exception('Input must be a integer'); return $a + $b; } if (!is_int($value1)) { $value1 = (int) $value1; } if (!is_int($value2)) { $value2 = (int) $value2; } $sum = sum($value1, $value2); ) { function sum ($a, $b) { if (!is_int($a)) throw new Exception('Input must be a integer'); if (!is_int($b)) throw new Exception('Input must be a integer'); return $a + $b; } if (!is_int($value1)) { $value1 = (int) $value1; } if (!is_int($value2)) { $value2 = (int) $value2; } $sum = sum($value1, $value2); ) {$ value1 = (int) $ value1; function sum ($a, $b) { if (!is_int($a)) throw new Exception('Input must be a integer'); if (!is_int($b)) throw new Exception('Input must be a integer'); return $a + $b; } if (!is_int($value1)) { $value1 = (int) $value1; } if (!is_int($value2)) { $value2 = (int) $value2; } $sum = sum($value1, $value2); ) {$ value2 = (int) $ value2; function sum ($a, $b) { if (!is_int($a)) throw new Exception('Input must be a integer'); if (!is_int($b)) throw new Exception('Input must be a integer'); return $a + $b; } if (!is_int($value1)) { $value1 = (int) $value1; } if (!is_int($value2)) { $value2 = (int) $value2; } $sum = sum($value1, $value2);

Each is_int() is performed several times in order to avoid unnecessary exception.

It is enough to check the values ​​when you receive them, and not throughout the application.

+2
source

Speaking of ZF, I would say that they are trying to minimize this in favor of interfaces and classes. Many definitions in the ZF you can see something like this:

 public function preDispatch(Zend_Request_Http $request)

that's good enough. Also in critical areas that require ints / strings, there are some sanity checks. But mostly not in the form of is_string() , but rather as isValidLocale() , which causes some other class for validation.

0
source

More articles:


All Articles