Are you defensive programmer?

defensive programmingSo what is defensive programming? Shortly said, in any problematic situation your code doesn’t break rather bypass the situation by taking proper steps. If you want to know details just visit wikipedia

I am just writing this article because I found that many programmers don’t accept this approach. So if you provide unexpected data sometimes the application will crash or show you unwanted error message and sometimes important data (for web application).

Look at an example for web application:

Suppose i need user id from a link and then i’ll process something for that id. Let the url would be

http://mysite.com/user.php?id=10
I found many programmers do the following things:
user.php

$uid = $_REQUEST['id'];
$data = getData($uid);
showHtmlOutput($data);

Lets think if the url could be:

  • http://mysite.com/user.php?id=
  • http://mysite.com/user.php?id=botol
  • http://mysite.com/user.php?id=1$$*$X

All of these urls will provide wrong data, and it will force your php code to show error/warning message to the user until you off the error in php.

So if you are defensive programmer then the code should be like this:

//check if id is set or not
$uid = isset($_REQUEST['id']) ? $_REQUEST['id'] : '';

//check if id is empty or not
if (empty($uid)){
    //show user a meaningful message and bypass it
   echo "User id is not provided";
   return;
}
else if (!(ctype_digit($uid)){
    //check user's provided data, as we know uid only consists of digit
   //do same action as if block
}

//if here comes that means, $uid is valid data and let do the tasks.
$data = getData($uid);
showHtmlOutput($data);

So look, defensive programming needs some more codes to validate data. But its really essential. But honestly said, sometimes by the pressure of project manager and short deadline we the programmers couldn’t maintain all of these approach, as I all time said to my fellow programmers “Best And Fast Never Met”.

Whatever if you have time then you should be a defensive programmer and its very essential for web application.

About mahmud ahsan

Founder And Lead Programmer at iThinkdiff.net

10 Responses to Are you defensive programmer?

  1. daniele June 23, 2010 at 4:07 pm #

    thank you ;-)

  2. hafizan June 25, 2010 at 4:29 pm #
    if(!is_numeric($value)) {
    						$value=0; 
    						return($value); 
    					}	else { 
    						return(intval($value)); 
    					}
    
  3. Michal June 25, 2010 at 5:44 pm #

    This article just scratches the surface. Of course you should validate the data, but the real question is – how far do you want to go with this?
    Just one layer of validation or boilerplate everywhere?

    • mahmud ahsan June 26, 2010 at 2:47 am #

      In karate, martial arts there are some basic techniques, one of them is blocking. So if someone attack you, you could block that attack by the technique. Defensive programming is vast issue and there are in many place in software design/programming where we have to apply that. This is just a simple example about the issue.

  4. Bret, not present June 25, 2010 at 6:13 pm #

    or using only 1 return statement, removing additional whitespace and using sensible default:

    $returnValue = 0;
    $value = isset($_REQUEST['id'])? trim($_REQUEST['id']):null;
    
    if(is_numeric($value)){
       $returnValue = intval($value);
    }
    
    return $returnValue;
    
  5. Sumon June 28, 2010 at 3:40 am #

    wow. I like this.

  6. hudson June 28, 2010 at 3:04 pm #

    You ONLY sanitated user inputs.

    Defensive Programming includes many other things also.

    http://en.wikipedia.org/wiki/Defensive_programming

  7. Al June 30, 2010 at 10:55 am #

    Hmm perhaps I am a defensive programmer.

  8. Jerzy July 1, 2010 at 2:12 pm #

    oh my …

    $uid = isset($_REQUEST['id']) ? intval($_REQUEST['id']) : 0;
    if( $uid < 1 ) return; // <--- in fact, this should be in getData functions and return null
    
    $data = getData($uid);
    if( $data != null ) return;
    
    showHtmlOutput($data);