Code like this can be seen on SO a lot of times:
|
1 2 3 |
header("Location: $_SERVER[HTTP_REFERER]"); |
|
1 2 3 4 |
echo "$array['variable'] "; |
|
1 2 3 |
$test = "$array[USERID]$array[display]"); |
What’s wrong with it?
It’s first of all, it’s the very opposite of clean and proper code style.
Properly:
|
1 2 3 4 |
echo $array['variable'] . " "; |
…is the way to go.
Is it only style or is there a serious problem with it?
Yep, the serious issues come in when using associative arrays without quotations, like in the first example:
|
1 2 3 |
header("Location: $_SERVER[HTTP_REFERER]"); |
What is happening?
Using an associative array without putting quotes arround the element means, the element is defined by a constant. Consider the following example:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
<?php define('TEST', 1234); $array = array( 'TEST' => 'left', 1234 => 'right' ); // Surprise: echo $array[TEST]; echo ' '; echo $array['TEST']; |
What do you think is the output of this?
Try it and see, why you should use quotations and concatenate strings properly!
P.S Using the Referer directly in a header() function, without validating the user input, leaves your script open for header injection!
