cjbeck71081 Posted September 10, 2008 Share Posted September 10, 2008 I have been using PHP for quite some time and I always make these forms and the first thing i have to do on the script page is to call each form field a variable to use it later. Is there a better way than this. In other words to take a collection of all the form fields and not have to call them. What do people do when they have forms with 100 fields? Thanks in advance Chris Link to comment https://forums.phpfreaks.com/topic/123679-making-post-variables-easier/ Share on other sites More sharing options...
BlueSkyIS Posted September 10, 2008 Share Posted September 10, 2008 you don't have to assign post variables to new variables, since they already exist in the $_POST array. automatically assigning variables for whatever someone submits is dangerous. that's why register_globals is turned OFF by default. if you want to create a security issue, you can turn it ON in php.ini. Link to comment https://forums.phpfreaks.com/topic/123679-making-post-variables-easier/#findComment-638671 Share on other sites More sharing options...
cjbeck71081 Posted September 10, 2008 Author Share Posted September 10, 2008 So in other words. If you have a form: <form id="form1" name="form1" method="post" action="post.php"> <label> <input type="text" name="textfield1" id="textfield1" /> </label> <p> <label> <input type="text" name="textfield2" id="textfield2" /> </label> </p> <p> </p> </form> When you get over to post.php you are just inputting the data using the $_POST['textfield1'] rather than assigning it a variable? i.e. <? echo("This is my first text field" . $_POST['textfield1']); echo("<br>"); echo("this is my second text field" . $_POST['textfield2']); ?> Thanks Link to comment https://forums.phpfreaks.com/topic/123679-making-post-variables-easier/#findComment-638676 Share on other sites More sharing options...
KevinM1 Posted September 10, 2008 Share Posted September 10, 2008 Well, using any kind of non-validated data is dangerous. It doesn't matter if you're using it like: $query = "INSERT INTO my_dbtable (my_column) VALUE ('". $_POST['someField'] ."')"); $result = mysql_query($query); Or: $someField = $_POST['someField']; $query = "INSERT INTO my_dbtable (my_column) VALUE ('$someField')"); $result = mysql_query($query); Neither one is innately more secure than the other. In fact, both are dangerously insecure if left as is. Remember: all incoming data is potentially bad. I tend to assign scrubbed (i.e., validated) data to variables because it makes it easier on me to refer to them by a simple variable name than to deal with the cumbersome superglobal syntax every time I want to use form data. Link to comment https://forums.phpfreaks.com/topic/123679-making-post-variables-easier/#findComment-638702 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.