missing code in change form tutorial?

[SNelson]

Hi;
Maybe I’m making a bigger deal out of this that necessary, but in both of the last 2 download demo files from Chris’ "Website Change Request Form" series (from the "Serious Security" and from the "Nice HTML EMail" posts) there’s an empty "if" block after the mail() function is called and I can’t figure out what *should* be there if it’s necessary at all. Here’s a snippet of the demo code (located after the mail() function is invoked and before the HTML part of the markup begins):

Code:

} else {
if (!isset($_SESSION[$form.’_token’])) {
//THIS LINE IS EMPTY IN THE DEMO FILES
} else {
echo “Hack-Attempt detected. Got ya!.”;
writeLog(’Formtoken’);
}

I’ve got a functioning contact form without this but it sort of seems to me that an "if" clause is put into code for a reason and I’d sorta like to know what the original intention of this check was.
Thanks for any pointers!
Steve

[apostrophe]

If you are refering to the "if" in the code block you posted then it is there to check that the variable has been set.
http://php.net/manual/en/function.isset.php

[SNelson]

Hi. Thanks for the reply:

"apostrophe" wrote:

If you are refering to the "if" in the code block you posted then it is there to check that the variable has been set.

Yes. I understand that. What I don’t understand is what should happen if the "if" returns true.
In other words..
If the session variable does not exist…
what should I do?
just die()?

Thanks

[apostrophe]

Well I haven’t seen the video or downloaded the demo but the point of if isset is to stop the script throwing an error by calling a variable that hasn’t yet been set.

[SNelson]

Thanks again for your help and interest. I’m not a PHP whiz but I can generally grasp what’s going on if I stare at it long enough and dissect it methodically.

"apostrophe" wrote:

Well I haven’t seen the video or downloaded the demo but the point of if isset is to stop the script throwing an error by calling a variable that hasn’t yet been set.

I think that sort of almost makes sense.
:-)
This is one of those combined scripts that has both the PHP form processing and the HTML form itself in the same file. (And the sort of code that tends to baffle me.)
I presume that any PHP in such a file executes as soon as the file loads. Right?

One of the security measures this script does is create a session, store a generated token in both a session variable and a hidden input field and compare them when the form is submitted, to thwart cross site scripting hacks.

Since the token isn’t created until after the HTML part part of the script begins, I gather the initial PHP must execute before the parser gets to the point at which the token is created.

So there *would* have to be some mechanism to handle the unset variable at the very beginning, before the parser reaches the point at which the token is generated.
It’s just that I’ve never encountered syntax like this script has:

Code:

if (!isset($_SESSION[$form.’_token’])) {

} else {
echo “Unable to send message.”;
}

Are you saying that this by itself is enough to suppress errors if there’s no token yet?

Code:

if (!isset($_SESSION[$form.’_token’])) {

}

Hmm. It just seems to me that an "if" conditional statement needs *some* sort of action.
Anyway – thanks. I’ll continue to be puzzled. Maybe my inability to grasp this is just my inexperience with PHP.

Steve

[Author]

Posts