-2

My websites have been using a php access control system for years. A recent "upgrade" to php 8.1 has caused the warning in the title to appear. I believe the code is still doing what it's supposed to, but the warnings get seen by the user, so I need to make them go away. Here's an example of my code that results in the warning.

// Check for credentials in the just-posted form or an existing session
// echo "Checking for credentials...<br>";
 $uid = isset($_POST['uid']) ? $_POST['uid'] : $_SESSION['uid'];
 $pwd = isset($_POST['pwd']) ? $_POST['pwd'] : $_SESSION['pwd'];

// echo "Found  " & '$uid' & "<br>";

if(!isset($uid)) {   // No credentials already set
//  echo "No credentials found <br>";
// Present some HTML here to collect username and pwd to try again.

I tried the despised approach of using "@" to suppress the warning:

$pwd = @isset($_POST['pwd']) ? $_POST['pwd'] : $_SESSION['pwd'];

Didn't help. What's a good way out of this mess?

[UPDATE] Not very elegant but this works.

if (empty($_POST['uid'])) {
if (empty($_SESSION['uid'])) {
    unset($uid);
} else {
    $uid = $_SESSION['uid'];
}    
} else {
    $uid = $_POST['uid'];   }
    
if (empty($_POST['pwd'])) {
    if (empty($_SESSION['pwd'])) {
    unset($pwd);
 } else {
    $pwd = $_SESSION['pwd'];
 }   
} else {
    $pwd = $_POST['pwd'];   }

if(empty($uid)) {   //// No credentials
//  echo "No credentials found <br>";

[SOLUTION] @Vee had the more elegant approach I was hoping for:

$uid = ($_POST['uid'] ?? ($_SESSION['uid'] ??''));      
$pwd = ($_POST['pwd'] ?? ($_SESSION['pwd'] ??''));
Wayne Henderson
  • 229
  • 3
  • 9
  • 4
    The error comes from the `$_SESSION` array, not `$_POST`. – Markus Zeller May 26 '22 at 15:36
  • 2
    Warnings should **never** be shown to users; they are for you, the developer. Find your PHP configuration, and change [the `display_errors` setting](https://php.net/display_errors) to "Off". Then check the settings related to *logging* warnings and errors, and regularly check that file. – IMSoP May 26 '22 at 15:39
  • Welcome to the super idea behind php 8: what before was considered a feature (not showing warning for undefined variables) now is a bug (warning is issued). They did a great job breaking the back compatibility for such a stupid thing. – Jack May 26 '22 at 15:43
  • 1
    @Jack php shows undefined key since at least version 4 (or even 3).... – Iłya Bursov May 26 '22 at 15:44
  • @IłyaBursov sure. Not as a warning. – Jack May 26 '22 at 15:50
  • 1
    @Jack what is the display difference between notice and warning? – Iłya Bursov May 26 '22 at 15:51
  • I prefer !empty. myself, but as Markus said, you need to be applying it to both $_POST and $_SESSION. You can created a nested ternary or do another ternary to create a variable from the $_SESSION – aynber May 26 '22 at 15:52
  • This should be displayed error since before PHP 8 but it is at **notice** level as I checked in PHP 7. The notice level is for developers to notice it and recommended to fix if possible. The warning level means developers should fix as soon as possible. – vee May 26 '22 at 15:53
  • @IłyaBursov you want to know the other warnings, and you usually don't care about notices. Silencing warnings is not something you want to do – Jack May 26 '22 at 15:54
  • @Jack I (and everybody I worked with) care about notices, because they can hide warnings, and in general undefined key is very dangerous, as quite often it indicates typo in key name – Iłya Bursov May 26 '22 at 15:56
  • @vee `The notice level is for developers to notice it and recommended to fix if possible. The warning level means developers should fix as soon as possible` I 100% disagree with that, can you give any supporting evidences for that claim? – Iłya Bursov May 26 '22 at 15:56
  • @IłyaBursov a notice is a notice, they don't hide nothing but a notice. And before starting a no-sense discussion, please note that was the language itself that's been using a separation between notice and warning for 20 years; changing what before was a notice to a what now is a warning is just another proof of php developers amateurishness. I can cite dozens of complete no-sense. – Jack May 26 '22 at 16:01
  • @IłyaBursov You may leave the errors and do nothing, that's fine. No one force you to fix it. – vee May 26 '22 at 16:02
  • 1
    @vee my point was the opposite, you're saying that notices are optional, warnings - as soon as possible, errors - even sooner. I'm saying that all of them must be fixed – Iłya Bursov May 26 '22 at 16:05
  • 1
    @Wayne Henderson Since you are using PHP 8+. Try this `$pwd = ($_POST['pwd'] ?? ($_SESSION['pwd'] ??''));`. – vee May 26 '22 at 16:16
  • @vee I had tried that but got the syntax wrong. Yours works and is the elegant solution I was going for. Thanks. – Wayne Henderson May 26 '22 at 23:20
  • @vee You don't need all the extra brackets, `??` has sane associativity, so `$pwd = $_POST['pwd'] ?? $_SESSION['pwd'] ?? '';` will work just as well. – IMSoP May 27 '22 at 13:31
  • @IMSoP Yes, I agree. The first time I test my code I don't have brackets too but... since PHP 8 I see [this](https://wiki.php.net/rfc/ternary_associativity), and [this](https://lindevs.com/nested-ternary-operators-requires-explicit-parentheses-in-php-8-0/). They are required nested ternary operator to be grouped with `(..)`. I know that `??` is different as I agree with you but I just don't feel well with PHP about this. :-D So, I group it. But it is no need yes. – vee May 27 '22 at 15:44

0 Answers0