PHP Variable Basics and Security Risk
PHP Variables with Security Considerations - Part 1
Foreword: In this part of the series, I give you the basics of variables in PHP. At the end of the tutorial, I present a security risk and solution.
By: Chrysanthus Date Published: 17 Oct 2018
Introduction
This series is part of a volume. You should be reading the series in the order given, if you are new to PHP.
A Variable
A variable in PHP holds an entity. A variable begins with the dollar ($) sign and is followed by the name of the variable. A valid variable name starts with a letter or underscore, followed by any number of letters, numbers, or underscores. Try the following code, where the first variable receives the value of NULL, because it is not initialized.
<?php
$myVar;
$yourVar = 'We are the world.';
echo $myVar, '<br>';
echo $yourVar, '<br>';
?>
In my computer the NULL value was not printed (displayed). The purpose of '<br>' is to send the cursor to the next line at the output.
The name of a variable is case-sensitive. This means that $yourVar is not the same as $YOURVar, which is not the same as $yourvar, which is not the same as $YOURVAR, and so on.
Entities for Variable
A PHP variable will hold any of the following entities: all PHP data types: boolean, integer, float, string, array, object, resource and NULL. So, any of these data types can be assigned to a variable.
The $this Variable
If you have read the previous series, you should have noticed the reserved variable, $this. It has a special use in Object Oriented Programming in PHP. So, you should not use this variable, arbitrarily (anyhow) in your PHP code.
The unset() Function
The unset function destroys a variable. Try the following code:
<?php
$var = 100;
echo $var, '<br>';
unset($var);
echo $var;
?>
The second echo statement displays nothing.
Bare Variable
A bare variable is a variable without the dollar ($) sign. Try the following code:
<?php
yourVar;
echo yourVar;
?>
The output is:
yourVar
A variable can be a bare word if it is not initialized (assigned a value). In this case, its value is the bare word, in quotes (a string), and not NULL.
Variable and Function
Try the following code and note that a variable declared outside (and before) a function definition, cannot be seen inside the function:
<?php
$var = 100;
function aFn()
{
echo $var;
}
aFn();
?>
There was no output.
In order for such a variable to be seen inside the function you have to use the global reserved word, as follows (try the code):
<?php
$var = 100;
function aFn()
{
global $var;
echo $var;
}
aFn();
?>
The the output is now,
100
There was output. Note the position of the reserved word, global. If you have more than one variable, to be used as such, then the global declaration statement can have all the variables. Try the following code:
<?php
$var = 100;
$variab = 'I love you.';
function aFn()
{
global $var, $variab;
echo $var, '<br>';
echo $variab;
}
aFn();
?>
In the global statement, the variables are separated by commas. Note that the variables must still be declared outside the function definition.
Now, if unset() is used within the block of a function, the variable is destroyed within that bock of the function; the variable outside the function is not destroyed. Try the following code:
<?php
$var = 100;
$variab = 'I love you.';
function aFn()
{
global $var, $variab;
echo $var, '<br>';
echo $variab, '<br>';
unset($var);
echo $var, '<br>';
echo $variab, '<br>';
}
aFn();
echo $var;
?>
$var inside the function is not displayed, after unset, while $var outside the function is displayed.
Initialization means, while you declare a variable (for the first time), you assign a value to it, as follows:
$variab = 'I love you.';
It is not necessary to initialize variables in PHP. However, it is a very good practice. Uninitialized variables have a default value of their type depending on the context in which they are used: booleans default to FALSE, integers and floats default to zero, strings (e.g. used in echo()) are set as an empty string, arrays become an empty array (array but without elements). Of course NULL remains NULL.
Security Risk with included File
If a variable has been initialized, it means it has been assigned a value. Let us talk about two PHP files and see a problem that can occur due to unknown initialization.
Consider the PHP file,
<?php
$arra = array('pen','book');
?>
This file defines an array with the name, $arra. Name the file, temp1.php. Also consider the following file:
<?php
include_once('temp1.php');
echo $arra[0], '<br>';
$arra = 2;
echo $arra, '<br>';
//echo arra[1], '<br>';
?>
This file begins by including the file, temp1.php, so that all the included code is in the upper part of its own code content. Next it displays the value 'pen' from the array in the upper content (of included file). It goes on to declare and initialize a new variable, integer variable, but unfortunately with the same name as the array in the included file.
This new variable overrides the old variable with the same name; meaning, as you go downward, the value of the variable with the name, $arra is 2 and not an array. Next, the code displays the value, 2. The last line should display the value, 'book', but it is commented out, and it is not executed, now.
Give this second file, the name, temp.php . Save both files in the same directory. Run the file, temp.php. The output is:
pen
2
Now, remove the double forward slash, // , from the last line, making it executable. Run the program again and note that there is a fatal error and the program does not even run. It is not in every situation that you have a fatal error, and the program stops running. In some situations, the program continues to run and be giving wrong results (exploitable by a hacker).
Not knowing that a variable has been initialized is problematic in the case of including one file into another, which uses the same variable name.
To solve this problem, while you are writing the code (temp.php) use the isset() function to check if a variable has been assigned a value. That is, you check if a variable is already in use. If yes, choose a different variable name for your new variable.
The isset() function, returns true, if the variable has been set to anything other than NULL, or it returns false otherwise. The following code shows how the isset() function is used:
<?php
$arra = array('pen','book');
if (isset($arra))
echo 'This variable has a value other than NULL, and you cannot use it.';
else
echo 'You can initilize and use this variable here';
?>
Note, if a variable was initialized (or finally assigned) to NULL, in the included file, then that is the same as not having the variable in the included file. So you can still use the variable in the new file.
Problem with Bare Variable
What is the point having a variable without ever assigning a value to it? What is the point having a variable whose value is the variable, and can never change?
Solution. Since this attitude can only lead to confusion, and wrong results, avoid using bare variables (bare strings).
That is it for this part of the series. We stop here and continue in the next part.
Chrys
Related Links
Basics of PHP with Security ConsiderationsWhite Space in PHP
PHP Data Types with Security Considerations
PHP Variables with Security Considerations
PHP Operators with Security Considerations
PHP Control Structures with Security Considerations
PHP String with Security Considerations
PHP Arrays with Security Considerations
PHP Functions with Security Considerations
PHP Return Statement
Exception Handling in PHP
Variable Scope in PHP
Constant in PHP
PHP Classes and Objects
Reference in PHP
PHP Regular Expressions with Security Considerations
Date and Time in PHP with Security Considerations
Files and Directories with Security Considerations in PHP
Writing a PHP Command Line Tool
PHP Core Number Basics and Testing
Validating Input in PHP
PHP Eval Function and Security Risks
PHP Multi-Dimensional Array with Security Consideration
Mathematics Functions for Everybody in PHP
PHP Cheat Sheet and Prevention Explained
More Related Links