8

I'm currently programming a website (in PHP4). I plan to save values, which do not change during runtime, in constants. Those are for example the version number of login-data for the database.

Question 1: are there any (security relevant) problems that can arise from saving data in constants?

At the moment I do the following to define and call the constant:

define("VERSION",   "1.0");
echo "Current version: ".VERSION."."; // Result: "Current version: 1.0."

There is one thing that annoys me: In case a constant is not defined, the "wrong" variable name is returned instead of e.g. NULL.

define("VERSION",   "1.0");
echo "Current version: ".VERSIONXXX."."; // Result: "Current version: VERSIONXXX."

One solution I found to get an error message and the return value "NULL" when I accidently entered a wrong constant name is using the function constant():

define("VERSION",   "1.0");
echo "Current version: ".constant("VERSIONXXX")."."; // Result: "Current version: ."

Question 2: Can I prevent in a different way, that PHP returns the name of the non-existing variable?

Question 3: Should the value of a constant in PHP always be returned using the function constant()?

danielrsmith
  • 3,994
  • 3
  • 24
  • 32
R_User
  • 9,332
  • 22
  • 68
  • 115

3 Answers3

6

  1. If you attempt to use a constant that does not exist, PHP automagically assumes it is a string instead, which is why you see VERSIONXXX.

  2. IIRC it throws a warning if you're error reporting is at the appropriate level. The best solution here is to ensure your code utilizes the proper constant names.

  3. If you know the name of the constant, it's easiest/best to use it directly. echo MY_CONSTANT
    If you don't know the name of the constant (e.g. it's name is in a variable), use constant():

    $name = 'MY_CONSTANT';
    echo constant($name);
simshaun
  • 20,601
  • 1
  • 51
  • 69
3

In reverse Order:

Question 3: No Question 2: Not really, but you can make adjustments.

because of (Question 1:) error_reporting. You PHP webserver is configured hide some errors. If you add 

error_reporting(E_ALL);

to your scripts head, you will get a

Use of undefined constant MY_CONST - assumed 'MY_CONST'

Error. Unfortunately it's a problem coming out of PHP's long history, that constants can be interpreted as strings.

If you can not be shure a constant was set in the first place you can use defined

if(defined('MY_CONSTANT') {
     //do something
}

But my personal opinion there shouldn't be many cases to need this, since the word constant alone implies a garanteed presence. The only exception I can think of is the typical header test.

if(!defined('MY_APP_IS_PRESENT')) {
    die('You can not call this file on its own, please use index.php.');
}

And one last tipp: Go and make yourself a errorhandler function, maybe even with firephp?

FloydThreepwood
  • 1,579
  • 14
  • 24
1

Well, you could always use defined function to make sure the constant exists. Combined with a ternary statement, you could simply echo an empty string, something like:

echo defined( VERSION ) ? VERSION : "";

Not the best answer, but workable?

PHP manual for defined() is at http://php.net/manual/en/function.defined.php

Tieson T.
  • 20,030
  • 4
  • 69
  • 86