Constant in PHP with Security Considerations
Foreword: In PHP it is possible to keep the value of a variable constant, such that any attempt to change the value for the variable will fail.
By: Chrysanthus Date Published: 17 Nov 2018
Introduction
Two ways of Defining Constant in PHP
There are two ways of defining constant in PHP: you use the define() function or the reservd word, const.
The define() Function
Try the following code:
<?php
define('pii', 3.14);
echo pii;
//pii = 4.77;
?>
The output is:
3.14
In the code, the variable is pii (case sensitive) without the preceding $. The value is 3.14. If the value is a string, it should be in quotes. A number as value, may or may not be in quotes. In the argument list of the define() function, the name of the variable must always be in quotes, without the preceding $.
You read the value of the constant using the name of the variable, without the preceding $.
Now, remove the comment (two forward slashes) and try the code again, with the hope of changing the value of the constant.
Note that the program (script) does not even run because of the fatal error.
The const Reserved Word
Try the following code:
<?php
const pii = 3.14;
echo pii;
//pii = 4.77;
?>
Note the use of the reserved word, const. Note that the variable, pii does not have $ in all the statements. If the value were a string, it would have been typed in quotes. The output is:
3.14
A variable without $ is called a bare word. The value of 3.14 assigned to pii cannot be changed for pii.
Now, remove the comment (two forward slashes) and try the code again, with the hope of changing the value of the constant.
Note that the program (script) does not even run because of the fatal error.
Scope
As opposed to defining constants using define(), constants defined using the const keyword must be declared at the top-level scope because they are defined at compile-time. This means that they cannot be declared inside functions, loops, if statements or try/catch blocks.
So you declare it like:
<?php
const pii = 3.14;
if (25 == 25)
{
echo pii;
}
?>
and not like:
<?php
if (25 == 25)
{
const pii = 3.14; //wrong position
echo pii;
}
?>
However, the following is Okay:
<?php
if (25 == 25)
{
define('pii', 3.14);
echo pii;
}
?>
Constant with Arrays
In PHP today, when you make an array constant, you make the whole array constant to its variable, and you make the value of each element constant to its key. Try the following code:
<?php
const ANIMALS = array('dog', 'cat', 'bird');
echo ANIMALS[1];
?>
The output is:
cat
Try the following code, where an attempt to change the value of the array variable, to that of an array of colors, leads to a fatal error:
<?php
const ANIMALS = array('dog', 'cat', 'bird');
ANIMALS = array('blue', 'red', 'green');
?>
Try the following code, where an attempt to change the value of an array element, from 'cat' to 'cow', leads to a fatal error:
<?php
const ANIMALS = array('dog', 'cat', 'bird');
ANIMALS[1] = 'cow';
?>
The above three code samples have the following equivalents, which can be used within blocks:
<?php
define('ANIMALS', array('dog', 'cat', 'bird'));
echo ANIMALS[1];
?>
<?php
define('ANIMALS', array('dog', 'cat', 'bird'));
ANIMALS = array('blue', 'red', 'green');
?>
<?php
define('ANIMALS', array('dog', 'cat', 'bird'));
echo ANIMALS[1] = 'cow';
?>
Security Considerations
Bare Words as Keys
You should use word keys in quotes, but within double quotes, you should use them as bare words. Used of bare words, conflict with current PHP (built-in) constants and constants to come.
Solution: Always use word keys in quotes. If you are to use it in a double quoted string, separate the string, isolating the array key variable as in the following code:
<?php
$arr = array('one' => "aaa", 'fruits' => "oranges", 'three' => "ccc");
echo "I need some " . $arr['fruits'] . " after meal.";
?>
In this way, you always use word keys in quotes.
Variable without $
A declared variable such as
avar;
actually has the string value, "avar", given by PHP.
For a long program, you may declare a constant, with variable name, avarr. Down in the code, you type, avar without the second r. If the value of the constant were a string, the return value would be "var", a string and your program will continue to run with wrong data and wrong results.
Prevention: just be very careful how you code.
That is it for this part of the series.
Chrys
Related Links
Basics of PHP with Security ConsiderationsWhite Space in PHP
PHP Data Types with Security Considerations
PHP Variables with Security Considerations
PHP Operators with Security Considerations
PHP Control Structures with Security Considerations
PHP String with Security Considerations
PHP Arrays with Security Considerations
PHP Functions with Security Considerations
PHP Return Statement
Exception Handling in PHP
Variable Scope in PHP
Constant in PHP
PHP Classes and Objects
Reference in PHP
PHP Regular Expressions with Security Considerations
Date and Time in PHP with Security Considerations
Files and Directories with Security Considerations in PHP
Writing a PHP Command Line Tool
PHP Core Number Basics and Testing
Validating Input in PHP
PHP Eval Function and Security Risks
PHP Multi-Dimensional Array with Security Consideration
Mathematics Functions for Everybody in PHP
PHP Cheat Sheet and Prevention Explained
More Related Links