Search Our Site

Our Newsletter

Our Ramblings

A look at some useful PHP functions. isset() vs empty() vs is_null()

Were currently developing a new system in collaboration with our partners at 802 Works – Redefining Wireless. As a part of that, were designing a new system for administering Wireless systems and maximising the marketing leverage that can be gained from them. That job involves having to write quite a lot of PHP pages and scripts. We thought we’d share a short tip on PHP variable declaration.

We’re going to look at the different ways that variables can be empty in this post. PHP has many different operators which can be used to test a variable. Three useful operators used for this are isset(), empty() and is_null(). Each of these operators return a boolean value (either true or false).

Lets take a look at these operators in a little more detail:

isset()

From the bible of PHP, the PHP manual, isset’s job is to “determine if a variable is set and is not NULL”. In other words, it returns true only when the variable is not null.

empty()

Again from the PHP manual, empty’s job is to “determine whether a variable is empty”. In other words, it will return true if the variable is an empty string, false, array(), NULL, “0?, 0, and an unset variable.

is_null()

Finally, from the PHP manual, is_null’s jobis to “find whether a variable is NULL”. In other words, it returns true only when the variable is null.

You may now be thinking that is_null() is opposite of isset() and , broadly speaking you’d be correct however there is one difference and that is that isset() can be applied to unknown variables, but is_null() only to declared variables.

The table below is an easy reference for what these functions will return for different values.

 

Value of variable ($var) isset($var) empty($var) is_null($var)
“” (an empty string) bool(true) bool(true)  bool(false)
” ” (space) bool(true)  bool(false)  bool(false)
FALSE bool(true) bool(true)  bool(false)
TRUE bool(true)  bool(false)  bool(false)
array() (an empty array) bool(true) bool(true)  bool(false)
NULL  bool(false) bool(true) bool(true)
“0” (0 as a string) bool(true) bool(true)  bool(false)
0 (0 as an integer) bool(true) bool(true)  bool(false)
0.0 (0 as a float) bool(true) bool(true)  bool(false)
var $var; (a variable declared, but without a value)  bool(false) bool(true) bool(true)
NULL byte (“\ 0”) bool(true)  bool(false)  bool(false)

 

I have tested the above values in PHP 7.1.9 which was released on September 1, 2017.

Web Security – The Problem

Web security has changed a lot in the past few years. It is no longer good enough to take a desktop antivirus scan engine and scan web content. URL filtering isn’t enough. It is not enough to put HTTP security on your corporate gateway.
The reason its not good enough to have a HTTP security gateway should be rather obvious. People go home. People travel. People work at client sites. People work at the Starbucks. An increasingly mobile workforce necessitates a mobile security solution.
URL filtering isn’t enough. URL filtering is reactionary and there are many new sites each day. When a legitimate site is compromised, URL filtering can categorize it as a malware serving site and block it. But how quickly will the site be rechecked after the virus is clean? Viruses are showing up on otherwise legitimate sites.

Sites can be compromised through lack of patching, through SQL Infection. In several cases advertising networks have inadvertently included malicious content. Some sites are potentially insecure by design. Web 2.0 sites accept user provided content with little controls in place. While some URL filtering solutions are better than others, it is an incomplete solution at best.

Some web security solutions are merely URL filtering combined with a desktop antivirus engine. I don’t think we need to rehash the failure of the antivirus engine. But there is better technology.

The best web security solutions (such as the Rustyice Solutions solution) include zero day protection as more than a marketing term. A web malware scanner is looking at the context of the file. The site its on. The number of requests for the file. The history.

Its then running it through heuristics in a way much more accurate than any desktop heuristic.

The web is a ready avenue of attack. Strengthened defenses against email and network attacks have left http the prime target for attackers.

Its a good time to be looking at alternative solutions. I think that SaaS web security has hit the sweet spot in what Gartner would call the hype cycle. Its at that point where you’re still on the leading edge but not on the bleeding edge.

How to recognise security vulnerabilities in your IT systems

As IT systems continue to extend across multiple environments, IT security threats and vulnerabilities have likewise continued to evolve.

Whether from the growing insider threat of rogue and unauthorised internal sources, or from the ever increasing number of external attacks, organisations are more susceptible than ever to crippling attacks. It’s almost become simply a matter of “when it will happen” rather than “if it will happen.”

For IT resellers, security issues have always persisted as critical to all communications for an organisation’s IT department.

However, with the increase in the levels of access to a company’s network compounded by these maturing threats, it is no longer feasible to merely recognise the existence of more simplistic, perimeter threats.

Resellers must be able to provide customers with a comprehensive risk assessment of the entirety of an organisation’s IT assets to their vulnerabilities–inclusive of both software and hardware.

This risk assessment must incorporate an understanding of external threats and internal vulnerabilities and how the two continue to merge to create increasingly susceptible IT environments.

At the most basic level, organisations and resellers alike must understand the different types of threats. Malware, a generic term for malicious software, such as trojan horses, worms, and viruses, is the most common form of attack that is originated by an external hacker. Malware attacks have persisted for years – from the infamous Morris worm to common spyware attacks – and they remain the easiest and most damaging tactic deployed by malicious hackers.

With enterprises extending to the cloud, and more organisations adopting SaaS-based applications, social media and other Web 2.0 tools, damaging malware attacks and viruses can now originate through simple SPAM messages and emails.

Internally, organisations are typically susceptible to threats from either authorised rogue users who abuse privileged accounts and identities to access sensitive information, or unauthorised users who use their knowledge of administrative credentials to subvert security systems. It is this type of vulnerability – unauthorised internal access – that has continued to emerge as the most volatile and disruptive.

To truly understand the risks involved with these “insider threats”, organisations and resellers need to understand the root of the vulnerabilities.

Most commonly, the risks lie with the use of embedded credentials, most notably hard coded passwords, a practice employed by software developers to provide access to administrators during the development process. The practice occurs frequently since application developers tend to be more focused on the development and release cycle of the application, rather than any security concerns. While it may appear harmless at first glance, it is extremely risky as it can potentially provide unauthorised users with powerful, complete access to IT systems.

To compound the matter, by hardcoding passwords to cover embedded credentials, vendors create a problem that cannot be easily fixed nor assuaged by tools such as Privileged Identity Management systems. Once embedded into an application, the passwords cannot be removed without damaging the system. At the end of the day, the passwords provide malicious outsiders with a bulls eye target – a key vulnerability to leverage to help them gain powerful access and control on a target device, and potentially throughout the entire organisation.

One of the most well known examples is the Stuxnet virus. We’ve all been blown away by the design of Stuxnet, and were surprised by the pathway the virus took in targeting SCADA systems. Reflection shows that the virus used the hard coded password vulnerability to target these systems – which should serve as a lesson for all businesses.

The existence of vulnerabilities embedded within these types of systems is not necessarily new, but the emergence of new threats continues to shed light on the ease with which they can be leveraged for an attack. While malicious outsiders and insiders have focused often on the administrative credentials on typical systems like servers, databases and the like, in reality, IT organisations need to identify every asset that has a microprocessor, memory or an application/process. From copiers to scanners, these devices all have similar embedded credentials that represent significant organisational vulnerabilities.

While steps can be taken to proactively manage embedded credentials without hardcoding them in the first place – Privileged Identity Management tools can help – the onus is on the organisation, and the reseller, to ensure that a holistic view of all vulnerabilities and risks has been taken.

The SaaS Value Proposition

Despite the continuous growth and market adoption for Software as a Service (SaaS) solutions, or perhaps because of it, many SaaS vendors are attempting to alter or advance the SaaS definition to more closely align with their particular solutions. Sales pitches that include terms such as ‘multi-tenant’ versus ‘isolated tenancy’ – or – ‘SaaS’ versus ‘Software + Services’ are just a few of the technical arguments which ultimately cause more confusion than value for IT evaluators and buyers.

To separate claims and hype from substance and benefits, focus on the true definition of SaaS as well as the SaaS value proposition.

SaaS Defined

While SaaS is a broadly defined term for which there is no definitive consensus, the below definition of SaaS enjoys general industry agreement.

SaaS is a software delivery model which provides web-based application access from a central shared services hosting facility over the Internet based on a subscription pricing model.

Key SaaS characteristics include the following:

  • Browser-based access to software applications
  • Pay-as-you-go subscription pricing – akin to rental
  • IT management is performed centrally rather than at each customer’s site
  • Shared services application delivery which generally includes impressive Tier 4 data centers and may consist of a multi-tenant architecture or in some instances a single-tenant (or isolated tenant) architecture
  • Centralized software management and upgrades (which eliminates the need for end-users to download and install software patches and upgrades)

Software as a service characteristics remain relatively constant despite the continual evolution of category naming for this disruptive technology. The change in the delivery, pricing and support model has evolved from its original moniker of ASP (application service provider) to utility computing to on-demand to SaaS and likely will fold into the cloud computing nomenclature and paradigm. Notwithstanding progressive naming escalations, the SaaS business model has consistent, profound and sustained value. According to Nicholas Carr, a former editor of the Harvard Business Review and IT visionary, the SaaS or utility computing model will have similar economic and social impact as was incurred a hundred years ago when companies stopped generating their own power with steam engines and dynamos and plugged into the newly built electric grid.

SaaS Value Proposition

The core tenants of the SaaS value proposition are unchanged regardless of vendor and include the following benefits.

  • Subscription pricing for lower TCO (total cost of ownership)
    • SaaS solutions forego hardware and software procurement, annual maintenance fees and upgrades
    • SaaS enables acquiring only the amount of software needed as opposed to traditional licenses per device
    • SaaS allows subscribers to access business functionality at a lesser cost than paying for licensed applications
    • SaaS reduces or eliminates IT salaries expenses for DBAs, system administrators and support or help desk staff
    • Some software vendors facing eroding market share to the SaaS solutions have attempted to suggest that SaaS TCO is higher due to the recurring subscription model, however, while costs vary by customer, several analyst firms have developed TCO models which demonstrate SaaS TCO is normally lower over the life of the application software
  • Faster implementation (faster time to benefits)
    • With no hardware, platform software or application software to install and configure, SaaS business software implementations are typically performed in 45% to 55% of the time and cost of on-premise CRM or ERP applications
  • Outsourced expertise
    • SaaS operations are managed by outsourced experts for improved product delivery and support; hosting organizations offer expert resources such as data center architects, DBA, security and help desk
    • Offloading IT administration and management allows companies to apply greater time and focus to core competencies
  • Predictable IT expenditures
    • Hosting clients turn otherwise variable costs into predictable monthly payments
    • Fewer over-budget IT project surprises
  • Reduced risk
    • Failure to achieve SaaS implementation success or post production results offers customers the option to terminate their subscriptions
  • Vested partnerships
    • Unlike traditional software licenses which are sold without any money back provisions, SaaS agreements are dependent upon recurring subscription renewals; With SaaS, the hosted vendor has a financially vested interest in the customer’s satisfaction and software success
  • On-demand scalability as business grows
    • With SaaS, there is no need to purchase and maintain hardware in advance in order to be able to support cyclical demands or increased business growth; SaaS offers on-demand scalability
  • SaaS solutions forego a highly depreciable (hardware and software) asset which offers no intrinsic financial value. When performing the buy versus rent scenario, remember that if something appreciates over time you may opt to buy it, however, when something depreciates you often opt to rent it. Information systems only ever depreciate. Use the asset – don’t buy it.

Recognizing the true definition of SaaS and the core tenants of the SaaS value proposition will empower IT evaluators and buyers to bypass vendor injected self serving claims and imposed confusion as well as maintain focus on the business value and benefits realized from the SaaS delivery model.