meltingpoint Posted January 13, 2011 Share Posted January 13, 2011 Ok- I have seen it go both ways on this forum and I was wondering which is correct- or more secure. I have a script that receives $_POST variables from a form. Which is better- to change the name of the $_POST variable to do script manipulations or to simple do them with the $_POST['whatever'] $whatever = $_POST['var_from_form']; or simply utilize $_POST['var_from_form'] I know it would be less typing changing it to $whatever, but does it really matter? And yes- register_globals is off. Cheers- Link to comment https://forums.phpfreaks.com/topic/224322-_post-variables/ Share on other sites More sharing options...
Maq Posted January 13, 2011 Share Posted January 13, 2011 If you use the first one you can use a more descriptive variable name. Also, if you define a new variable the POST then you only have to manipulate it one time. For example, if you want to sanitize your POST value you would only have to call mysql_real_escape_string once. If you used the latter example, then you would need to call it every time you wanted to use it. Link to comment https://forums.phpfreaks.com/topic/224322-_post-variables/#findComment-1158949 Share on other sites More sharing options...
Anti-Moronic Posted January 13, 2011 Share Posted January 13, 2011 Assigning your $_POST values to variables is good practice. As maq said you need to also think about security. You can't simply use $_POST['couldbeanything']; you should use mysql_real_escape_string($_POST['couldbeanything']); Of course, this only matters if you're using the $_POST values and inserting into a database. If not, it is still god practice to validate the input. Even on hidden form elements. *everything* the user enters into your system must be validated or you're open to being compromised/ A simple way of sanitizing all $_POST variables is like this: foreach($_POST as $key => $val){ $cleanPost[$key] = mysql_real_escape_string($val); } Now just use $cleanPost['couldbeanything'] instead of $_POST. You can take that a step further and use an array to exclude/include certain keys, or validate value based on key name (like fname_alphnum, id_int). Link to comment https://forums.phpfreaks.com/topic/224322-_post-variables/#findComment-1158951 Share on other sites More sharing options...
meltingpoint Posted January 14, 2011 Author Share Posted January 14, 2011 Cool- thanks. Yeah- I always validate user input and have found for certain things it works best to assign $_POST['whatever'] to $name_whatever. But for brevity in most cases I will simply use the $_POST['whatever']. Again- thanks Link to comment https://forums.phpfreaks.com/topic/224322-_post-variables/#findComment-1159204 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.