2

Is it a good or bad practice to authenticate and then just exit() the function or to wrap the whole result of the authentication in an if statement? Example

function foo($uid)
{

    $allowed = $auth->checkIfAllowed($uid);

    if ($allowed == false) exit();

        //continue with senstive code here

    }
}

OR

function foo($uid)
{

    $allowed = $auth->checkIfAllowed($uid);

    if ($allowed == true)
    {
        // do sensitive stuff
    } 
}
Improve this question
3
  • Your two samples do different work. The first terminates code execution, and the second - doesn't Commented Jan 15, 2012 at 0:37
  • 1
    I personally do not like "early returns" in any language. There are cases when they can make the code more clear, but I like to "read the indents" (of which the post has none of -- grr!) and keep it consistent. Commented Jan 15, 2012 at 0:40
  • 1
    What about if the code in the indents are long? For me it feels tacky to have many lines of code within an if statement.. but maybe thats just me. Commented Jan 15, 2012 at 0:50

4 Answers 4

Reset to default
4

I would like to take this opportunity to talk about exit; (as others have stated both work, the second is more explicit then the first, and give you the opportunity to send a nice error message to the user). My main beef (I have several with exit;) is that people should stop using it in libraries, i.e. code that can/will be used in other projects... You know how irritating it is to debug those? Throw exceptions, trigger fatal errors, but give me something with a description.

/rant

Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

Thanks for the rant! I'm actually planning on throwing an exception if the user is not allowed, but while you are here, do exceptions stop execution of the rest of the code like exit does?
@Wrikken Do you think we'll ever see a day when all the online PHP tutorials promoting the do_something() or die("oops"); method of error handling have gone away? It brings me to tears to see that so commonly here on SO.
Only until they are catched, and it they're not catched, execution will still halt, but I have a nice error message in my error logs I can monitor for, with a description and a location.
@Michael: yep, even in the official docs, all with the excuse 'it is just example code, not something you would use in real life', and see what happened... Sad, sad state of affairs.
Yeah, they don't realize that most people start their PHP learning by copying and pasting those very tutorials.
3

Your examples are equivalent.

However, it's not usually useful to the end user to just exit the script abruptly. Instead, send your user a useful error message printed in HTML rather than the plain text you would get from a die() call, for example.

function foo($uid)
{

  $allowed = $auth->checkIfAllowed($uid);

  if ($allowed == false)
  {
    $errormsg = "You are not allowed to view this page";
  }

  else 
  { 
    //continue with senstive code here    
  }
}

Later, print the error in HTML, rather than just aborting the script:

<div class='error'><?php echo $errormsg; ?></error>
Improve this answer

Comments

0

Either or. I don't think it'll make a difference. It relatively the exact same thing. In programming there are many ways to program things, never on right way in most instances.

Improve this answer

Comments

0

They are absolutely the same. The indentation and coding style is the only difference. In both cases the sensitive code won't execute unless the authentication is done successfully.

It's usually better to be expressive in your code though, so I'd recommend the second method.

Improve this answer

2 Comments

The reason I ask the question is because the first method just makes the code cleaner.. especially when there is alot of code in the if statement. I don't have to worry about the closing bracket hiding from me :)
I know. If you ARE going to use the first method, you should ALWAYS do it in a way that some meaningful feedback is generated. Trigger an error by trigger_error or better still, use a throw new Exception(). But don't just cut off execution. By throwing an exception, you will halt execution, and you are giving the person calling your function an opportunity to catch that exception and deal with the error (or simply send it to the user as a feedback or ignore it and log it somewhere), and it will be traceable.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.