B2B: Testing and defining variables in PHP

PHP is a dynamic, weakly-typed language, and as such, beginners to the language will often find their code acting unpredictably because of assumptions they have made.

PHP has a fairly low entry point for new programmers - it’s easy enough to get a couple of small sample scripts up and running, but on the same token, it’s really easy to pick up bad habits and carry them through into larger projects. Since PHP is often the first language used extensively by a new generation of web programmers, and doesn’t have strict typing or error reporting, a lot of people simply never pick up the best practices for system design and implementation.

This tutorial is going to be a quick introduction to variables in PHP, and how to test them effectively for missing or incorrect data.

To define a variable in PHP, you simply refer to it and assign it a value. Notice that you don’t need to place a type before it, e.g. int or string.

  $var1 = 'abc';

One variable is now present in your system, $var1, with the value abc.

If you are planning on using a group of variables in your program, it is generally good practice to declare them near the top of your function or method, or near the top of the file, and assign them sensible default values:

  $counter = 0;
  $name = '';
  $max = 10;

Testing variables

To maintain a predictable system, you need to ensure that you are always testing variables for expected values and sanitising them where necessary. Sanitising refers to cleaning up any data that has come from an untrusted source, i.e. a user submitted form or something similar. Such data must never be used directly without being checked or parsed - a common mistake is to take data a user has submitted and immediately use it in a database query:

  $query = "SELECT * FROM table WHERE name LIKE = {$_POST['name']}";

This is a classic example of an SQL injection flaw. A malicious user could easily craft a request to modify or even drop your entire database.

A better query would look like this:

  $name = mysql_escape_string($_POST['name']);
  $query = "SELECT * FROM table WHERE name LIKE = '$name'";

Notice the additional quotes around $name in the query; and the curly braces around the variable are no longer required as it isn’t a value being accessed in an array. Additionally, notice that the $query string is surrounded by double quotes (”) - this means that variables and string literals inside the string will be parsed.

  $name = 'Michael';
  $test1 = 'My name is $name';
  $test2 = "My name is $name";

Try printing the variables above in your own script and see the difference. $test1 will say ‘My name is $name‘ whilst $test2 will say ‘My name is Michael‘.

PHP provides several functions to test variables with, here is a table of the results from a couple of them:

$var is	Function	PHP returns
(not set)	isset	false
” (empty string)	isset	true
123	isset	true
null	isset	false
” (empty string)	empty	true
123	empty	false
(not set)	empty	true

Above, we use empty to test if a variable has a value, this function will return FALSE if variable has a non-empty and non-zero value. The following are values that PHP treats as false (zero):

• "" i.e. empty string
• 0 as an Integer
• "0" as a String
• NULL
• FALSE
• array()

Also note that empty only tests variables, anything else will result in a parse error. In other words, the following will not work: empty(trim($name)); (From www.php.net/empty).

Once a variable is defined (or set), you can use unset($var) or $var = null to destroy it.

Because PHP is weakly-typed, since PHP 5 (I think, maybe sooner), an additional operator has been included. By extending the standard boolean test operator ‘==’ to 3 equal signs, ‘===’, the variables being tested will also be tested to see if their base types match. In other words:

  (0 == '')

returns true because both are seen as false (0) by PHP, but

  (0 === '')

returns false because 0 is an integer and ” is a string, so their values match, but not their types.

This additional checking can also be used in the negative form, i.e. ‘!==’.

Using everything we’ve discussed above, a sensible way to read from the HTTP POST parameter super-global and set a default value is to use the ternary operator in PHP:

  $name = (isset($_POST['name'])) ? $_POST['name'] : 'none';

A good way to quickly play around with all these different functions, and to test your logic, is to use the PHP interactive shell (PHP 5.1 onwards):

$ php -a

Alternatively use PHP-Shell which has more features than the built-in shell (link below).

Related links

1. PHP-Shell by Jan Kneschke
2. http://www.php.net/manual/en/function.isset.php
3. http://www.php.net/manual/en/function.empty.php
4. http://www.php.net/manual/en/function.unset.php