Jump to content

Is $POST necessary or redundant?

phppup

By phppup
in PHP Coding Help

Recommended Posts

phppup Prolific Member

phppup

Posted
Posted

 

My code looks something like this:

//section one

apples = $POST ['apples']

donuts =$POST['donuts']

 

SQL= blah blah blah

 

//section two

INSERT (apples, donuts) VALUES ($apples, $donuts) etc

 

Is "section one" necessary to have in my script, or is redundant since the values are indicated in my results statement?

 

I need clarification from people who know this stuff well.  Thanks

 

 

Link to comment
https://forums.phpfreaks.com/topic/259340-is-post-necessary-or-redundant/
Share on other sites
phppup Prolific Member

phppup

Posted
  • Author
Posted

Let me try to make this a little more clear:

My code looks something like this:

 

//section ONE

apples = $POST ['apples']

donuts =$POST['donuts']

 

SQL= blah blah blah

 

//section TWO

INSERT (apples, donuts) VALUES ($apples, $donuts) etc

 

Is "section ONE" necessary to have in my script, or is redundant since the values are indicated in my results statement?

 

Some have said it's UNNECESSARY because the same info is being stated in section TWO, and others have indicated that it is "proper protocol" to aid in the scripts processing.

 

 

Muddy_Funster Regular Member

Muddy_Funster

Posted
Posted

Looking at that I don't see how section 2 would have the first clue what $apples and $donuts would be without them first being assigned in section 1 (as I assume you just missed the $ prefix of the apples and donuts in this section), unless perhaps it's in this "results statement" that you can't be bothered to describe in any sort of detail.

 

If it's too much trouble to word a question in a way that makes sense, why bother asking it in the first place?

DavidAM Member

DavidAM

Posted
Posted

$_POST (there is an underscore in there) is where PHP holds the values POSTed from a form, so that your script can get to them. If you are running an old version of PHP and/or you have register_globals turned on, then the first two statements are redundant. However, having register_globals on is a major security risk!

 

The "best practice" is to run with register_globals off and do something like this:

 

$apples = (isset($_POST['apples']) ? $_POST['apples'] : '');
$donuts = (isset($_POST['donuts']) ? $_POST['donuts'] : '');

/* Verify that the values for "apples" and "donuts" are valid 
    (whatever "valid" means to your application) */

// Prepare for SQL (assuming mysql here)
$apples = mysql_real_escape_string($apples);
$donuts = mysql_real_escape_string($donuts);

$sql = "INSERT INTO myTable (appleColumn, donutColumn) VALUES ('$apples', '$donuts')";

 

I have over-simplified that example. The point is, Test to see if the values were provided; Validate the values to be sure the are acceptable; Sanitize the data to prevent SQL injection attacks; Build the SQL statement separately (to make debugging simpler); Send it to the database (not shown in the example).

 

phppup Prolific Member

phppup

Posted
  • Author
Posted

Thank you DAVID!

 

Over-simplification EXPLAINS things perfectly; especially to those of us who might not truly realize WHAT were ASKING or WHY others think it's a problem.

 

Now I not only got my answer, but ALSO understand the importance of the sections. 

 

PS: can you elaborate on the ISSET.  I know it's the brief version of an IF, but it's caused me problems in the past.  I have SANITATIoN and VALIDATION on my input fields, and the rest are dropdown menus. 

 

Is there a way to put the "mysql_real_escape_string" is a loop to cover all the variables, or do they need to be sanitized individually?

rythemton Newbie

rythemton

Posted
Posted

Is there a way to put the "mysql_real_escape_string" is a loop to cover all the variables, or do they need to be sanitized individually?

 

I've used variable variables:

$dataentries = array( 'apples', 'donuts' );
foreach( $dataentries AS $value ) {
    $$value = isset( $_POST[ $value ] ) ? $_POST[ $value ] : '';
    $$value = mysql_real_escape_string($$value);
}

DavidAM Member

DavidAM

Posted
Posted

The isset call returns true if the variable is defined (has been "set" to a value), and returns false if it has not. The following would accomplish about the same thing, but it would throw an error (actually, a NOTICE) about referencing an undefined variable (or, in this case, an undefined index in the array):

$apples = $_POST['apples'];

 

The ternary operator condition ? trueExpression : falseExpression; is a shortcut for an if ... else ...

 

if (isset($_POST['apples'])) {
    $apples = $_POST['apples'];
} else {
    $apples = '';
}

// is exactly the same as 

$apples = (isset($_POST['apples']) ? $_POST['apples'] : '');

 

 

Don't start thinking that your dropdown menu values (<SELECT> fields) are safe. They can be very easily hacked to send you a value you are not expecting. If you use the value directly from the POST array, you must validate and/or sanitize.

 

 

I don't sanitize my variables until I put them in an SQL statement. Consider:

 

// Values from the form
$_POST['apples'] = "I'm here";
$_POST['donuts'] = "What's a \ for?";

// Quick and dirty sanitize
$fromUser = array_map('mysql_real_escape_string', $_POST);

// Now I want to display what the user typed
print "Apples: " . $fromUser['apples'] . "<BR>";
print "Donuts: " . $fromUser['donuts'] . "<BR>";

 

The output displayed by those statements will be:

 

Apples: I\'m here
Donuts: What\'s a \\ for?

 

mysql_real_escape_string() puts backslashes in to protect the database. The database knows to treat these backslashes in a special way. But to the browser, they are just characters to be displayed. This is why I don't "escape_string" until they go into an SQL statement.

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.