Is $POST necessary or redundant?

[phppup]

 

My code looks something like this:

//section one

apples = $POST ['apples']

donuts =$POST['donuts']

 

SQL= blah blah blah

 

//section two

INSERT (apples, donuts) VALUES ($apples, $donuts) etc

 

Is "section one" necessary to have in my script, or is redundant since the values are indicated in my results statement?

 

I need clarification from people who know this stuff well.  Thanks

 

 

[Muddy_Funster]

ok, let me start by saying 

 

please reword the question, prefferably pointing out what your "results statement" is and some rough idea of what the scrip is actualy doing.

[requinix]

It is not necessary. However it is bad form to modify the values in $_POST et al. so if you need to do something to them then keep that first section and modify your variables instead.

[phppup]

Let me try to make this a little more clear:

My code looks something like this:

 

//section ONE

apples = $POST ['apples']

donuts =$POST['donuts']

 

SQL= blah blah blah

 

//section TWO

INSERT (apples, donuts) VALUES ($apples, $donuts) etc

 

Is "section ONE" necessary to have in my script, or is redundant since the values are indicated in my results statement?

 

Some have said it's UNNECESSARY because the same info is being stated in section TWO, and others have indicated that it is "proper protocol" to aid in the scripts processing.

 

 

[Muddy_Funster]

Looking at that I don't see how section 2 would have the first clue what $apples and $donuts would be without them first being assigned in section 1 (as I assume you just missed the $ prefix of the apples and donuts in this section), unless perhaps it's in this "results statement" that you can't be bothered to describe in any sort of detail.

 

If it's too much trouble to word a question in a way that makes sense, why bother asking it in the first place?

[DavidAM]

$_POST (there is an underscore in there) is where PHP holds the values POSTed from a form, so that your script can get to them. If you are running an old version of PHP and/or you have register_globals turned on, then the first two statements are redundant. However, having register_globals on is a major security risk!

 

The "best practice" is to run with register_globals off and do something like this:

 

$apples = (isset($_POST['apples']) ? $_POST['apples'] : '');
$donuts = (isset($_POST['donuts']) ? $_POST['donuts'] : '');

/* Verify that the values for "apples" and "donuts" are valid 
    (whatever "valid" means to your application) */

// Prepare for SQL (assuming mysql here)
$apples = mysql_real_escape_string($apples);
$donuts = mysql_real_escape_string($donuts);

$sql = "INSERT INTO myTable (appleColumn, donutColumn) VALUES ('$apples', '$donuts')";

 

I have over-simplified that example. The point is, Test to see if the values were provided; Validate the values to be sure the are acceptable; Sanitize the data to prevent SQL injection attacks; Build the SQL statement separately (to make debugging simpler); Send it to the database (not shown in the example).

 

[phppup]

Thank you DAVID!

 

Over-simplification EXPLAINS things perfectly; especially to those of us who might not truly realize WHAT were ASKING or WHY others think it's a problem.

 

Now I not only got my answer, but ALSO understand the importance of the sections. 

 

PS: can you elaborate on the ISSET.  I know it's the brief version of an IF, but it's caused me problems in the past.  I have SANITATIoN and VALIDATION on my input fields, and the rest are dropdown menus. 

 

Is there a way to put the "mysql_real_escape_string" is a loop to cover all the variables, or do they need to be sanitized individually?

[cpd]

$var = (if 1 = 1 ? do this : else do this);

 

Three sections, the if part is the "condition". The "do this" part is the action to be carried out of the condition is true. The "else do this" is the action to be carried out if the conditions is false.

[rythemton]

Is there a way to put the "mysql_real_escape_string" is a loop to cover all the variables, or do they need to be sanitized individually?

 

I've used variable variables:

$dataentries = array( 'apples', 'donuts' );
foreach( $dataentries AS $value ) {
    $$value = isset( $_POST[ $value ] ) ? $_POST[ $value ] : '';
    $$value = mysql_real_escape_string($$value);
}

[DavidAM]

The isset call returns true if the variable is defined (has been "set" to a value), and returns false if it has not. The following would accomplish about the same thing, but it would throw an error (actually, a NOTICE) about referencing an undefined variable (or, in this case, an undefined index in the array):

$apples = $_POST['apples'];

 

The ternary operator condition ? trueExpression : falseExpression; is a shortcut for an if ... else ...

 

if (isset($_POST['apples'])) {
    $apples = $_POST['apples'];
} else {
    $apples = '';
}

// is exactly the same as 

$apples = (isset($_POST['apples']) ? $_POST['apples'] : '');

 

 

Don't start thinking that your dropdown menu values (<SELECT> fields) are safe. They can be very easily hacked to send you a value you are not expecting. If you use the value directly from the POST array, you must validate and/or sanitize.

 

 

I don't sanitize my variables until I put them in an SQL statement. Consider:

 

// Values from the form
$_POST['apples'] = "I'm here";
$_POST['donuts'] = "What's a \ for?";

// Quick and dirty sanitize
$fromUser = array_map('mysql_real_escape_string', $_POST);

// Now I want to display what the user typed
print "Apples: " . $fromUser['apples'] . "<BR>";
print "Donuts: " . $fromUser['donuts'] . "<BR>";

 

The output displayed by those statements will be:

 

Apples: I\'m here
Donuts: What\'s a \\ for?

 

mysql_real_escape_string() puts backslashes in to protect the database. The database knows to treat these backslashes in a special way. But to the browser, they are just characters to be displayed. This is why I don't "escape_string" until they go into an SQL statement.

[phppup]

How do I edit the code that "rythemton" mentioned if I'm not writing an array.

All the data is coming from a form.

I seem to get into trouble whenever there are ARRAYS that are ITEMIZED in the code rather than having values coming from a form or a table.