I made a calculator

<?php error_reporting(-1); ini_set('display_errors', 'On'); header('Content-Type: text/html; charset=utf-8'); ?> <form action="" method="POST" style="border: 1px solid red; width: 400px; float: left;"> <div style="width: 300px;">Введите число 1 <input type="text" name="number1"></div> <div style="width: 300px;">Введите число 2 <input type="text" name="number2"></div> <div class="operator" style="padding: 10px 0;"> Выберите знак оператора<br> <label>плюс <input type="radio" name="op" value="+"></label> | <label>минус <input type="radio" name="op" value="-"></label> | <label>умножить <input type="radio" name="op" value="*"></label> | <label>разделить <input type="radio" name="op" value="/"></label> | </div> <input type="submit" name="submit" value="Получить результат"> </form> <div class="result" style="width: 200px; height: 100px; border: 1px solid red; float: left;"> <span style="display: block; padding: 10px 0;">Результат</span> <?php function calc($num1,$num2,$action = '+'){ if(is_numeric($num1) && is_numeric($num2)){ switch($action){ case '+': return $num1 . ' + '. $num2 . ' = ' . ($num1 + $num2); break; case '-': return $num1 . ' - '. $num2 . ' = ' . ($num1 - $num2); break; case '*': return $num1 . ' * '. $num2 . ' = ' . ($num1 * $num2); break; case '/': if($num2 == 0){ return 'На 0 делить нельзя'; } else{ return $num1 . ' / '. $num2 . ' = ' . ($num1 / $num2); } break; } } else{ return 'Введите число'; } } if(isset($_POST['number1'], $_POST['number2'])){ if(isset($_POST['op'])){ echo calc($_POST['number1'], $_POST['number2'], $_POST['op']); } else{ echo calc($_POST['number1'], $_POST['number2']); } } ?> </div>

And they tell me that the default didn’t specify because of this there are vulnerabilities for hackers.

I quote: Suppose I send action = "aaa" and a logical error occurs because you have no default. default should be added to provide different behavior. Your question: why do hackers fake forms? Well, in order to hack sites. Just the default would fix it

And what can I write in default, I do not know.

////////////////////////////////

They also write to me

In this case, the absence of default causes the function to return nothing, that is, return NULL. And you do echo NULL, but this is not good.

//////////////////////////////////////////

Well, if you pass action = "blabla" you have an unprocessed situation!

Here is the situation when you write code, you should always control the options that the function returns. Either this is the error text, either a number, or NULL, NULL is returned when you transfer blabla.

1) When you handle the 'blabla' event you understand that anyone including you can edit any form and send the desired data 2) By processing this behavior, you immediately learn to write the code correctly when you have all the script behaviors under control.

/////////////////////////

But I do not understand how it can return NULL if the result is output?

I still did not understand how to do it right.

Well, at the end I will write

default: return "Invalid input";

So, what is next?

  • What is the question "what's next?" - u_mulder
  • Now wait. Very soon. - vp_arth
  • break after return will never be executed ... - vp_arth
  • Better, instead of the Некорректный ввод the default label next to the case '+' label case '+' , then addition will be performed on the blabla, which is defined in the function signature as the default action - vp_arth

2 answers 2

In general, as I see, nothing terrible will happen. Though I am not a master php, but still. However, there are standards for code design (PSR-0, PSR-1, PSR-2, PSR-3, PSR-4) - read. They are in Russian. So, on switch, the following is indicated:

  • If there is an appropriate comment, blocks that pass control down are allowed;
  • It is recommended to always set the default block, which would report an error in cases where the hit on it should be excluded, but nonetheless took place;
  • If you need to create any variables, then put all the corresponding code inside case blocks.

Example:

 switch (...) { case 1: ... // УПРАВЛЕНИЕ ПЕРЕДАЁТСЯ ВНИЗ case 2: { $v = get_week_number(); ... } break; default: }

Source https://www.opennet.ru/docs/RUS/php_code_standart/format.switch.html But it is better to google PSR-0, PSR-1, PSR-2, PSR-3, PSR-4.

Thus, I believe that in some cases it will protect from something (although it is difficult to imagine such a situation in a particular case). I understand that I want to understand everything completely and have a complete idea.

Much more dangerous is the reception of variables from the form without protection from SQL injection (but this is also not for this case).

    With an unknown action, you need to return num1, that is, the input value from the logic of the calculator remains unchanged. For default, return $ num1;