Given that PHP is already setting those superglobals, I don't think it's evil to modify them. In some cases, it may be the best way to solve problems... particularly when dealing with third party code that you cannot easily modify. (They might use $_GET
directly or assume some key exists in $_SERVER
, etc.)
However, generally speaking, I think it's a bad practice when you are writing your own code. Modifying the $_REQUEST
data with some behind the scenes filter that runs on every page automatically is likely to introduce side effects. (See all the problems that "magic quotes" caused for proof.)
So if you aren't going to do that (automatically filter the superglobals), then the following doesn't give you any benefits:
$_POST['foo'] = filter($_POST['foo']);
when you can easily just do:
$foo = filter($_POST['foo']);
I think it's much more clear to make the site-wide distinction that $_POST
and $_GET
are always unfiltered, untrusted data, and they should never be used as-is.
By copying the filtered value to another variable, you are making the claim that, "I understand what I'm doing... I've filtered this input, and it's safe to use."
It's anyways bad practice to initialie a char array with a string literal.
The author of that comment never really justifies it, and I find the statement puzzling.
In C (and you've tagged this as C), that's pretty much the only way to initialize an array of char
with a string value (initialization is different from assignment). You can write either
char string[] = "october";
or
char string[8] = "october";
or
char string[MAX_MONTH_LENGTH] = "october";
In the first case, the size of the array is taken from the size of the initializer. String literals are stored as arrays of char
with a terminating 0 byte, so the size of the array is 8 ('o', 'c', 't', 'o', 'b', 'e', 'r', 0). In the second two cases, the size of the array is specified as part of the declaration (8 and MAX_MONTH_LENGTH
, whatever that happens to be).
What you cannot do is write something like
char string[];
string = "october";
or
char string[8];
string = "october";
etc. In the first case, the declaration of string
is incomplete because no array size has been specified and there's no initializer to take the size from. In both cases, the =
won't work because a) an array expression such as string
may not be the target of an assignment and b) the =
operator isn't defined to copy the contents of one array to another anyway.
By that same token, you can't write
char string[] = foo;
where foo
is another array of char
. This form of initialization will only work with string literals.
EDIT
I should amend this to say that you can also initialize arrays to hold a string with an array-style initializer, like
char string[] = {'o', 'c', 't', 'o', 'b', 'e', 'r', 0};
or
char string[] = {111, 99, 116, 111, 98, 101, 114, 0}; // assumes ASCII
but it's easier on the eyes to use string literals.
EDIT2
In order to assign the contents of an array outside of a declaration, you would need to use either strcpy/strncpy
(for 0-terminated strings) or memcpy
(for any other type of array):
if (sizeof string > strlen("october"))
strcpy(string, "october");
or
strncpy(string, "october", sizeof string); // only copies as many characters as will
// fit in the target buffer; 0 terminator
// may not be copied, but the buffer is
// uselessly completely zeroed if the
// string is shorter!
Best Answer
I would agree that this is not a good idea. Even if the language you're using defines what should happen in this situation (I don't know if PHP does; that's a question for StackOverflow) most people who see code like this would still have to look up whether or not it's defined behavior before they could have any confidence in it.
If the list of desired modifications is typically much smaller than the array being modified, I would always prefer using a temporary array to contain the desired modifications until the iterating is complete, just like your first example. If you're running out of memory doing that, that tells me you're modifying such a huge portion of the array that you'd be better off with a map operation (I believe PHP calls it
array_map
) that's designed to efficiently modify all elements without any risk of processing an element more or less than one time.