Jump to content

Recommended Posts

 

My code looks something like this:

//section one

apples = $POST ['apples']

donuts =$POST['donuts']

 

SQL= blah blah blah

 

//section two

INSERT (apples, donuts) VALUES ($apples, $donuts) etc

 

Is "section one" necessary to have in my script, or is redundant since the values are indicated in my results statement?

 

I need clarification from people who know this stuff well.  Thanks

 

 

Link to comment
https://forums.phpfreaks.com/topic/259340-is-post-necessary-or-redundant/
Share on other sites

Let me try to make this a little more clear:

My code looks something like this:

 

//section ONE

apples = $POST ['apples']

donuts =$POST['donuts']

 

SQL= blah blah blah

 

//section TWO

INSERT (apples, donuts) VALUES ($apples, $donuts) etc

 

Is "section ONE" necessary to have in my script, or is redundant since the values are indicated in my results statement?

 

Some have said it's UNNECESSARY because the same info is being stated in section TWO, and others have indicated that it is "proper protocol" to aid in the scripts processing.

 

 

Looking at that I don't see how section 2 would have the first clue what $apples and $donuts would be without them first being assigned in section 1 (as I assume you just missed the $ prefix of the apples and donuts in this section), unless perhaps it's in this "results statement" that you can't be bothered to describe in any sort of detail.

 

If it's too much trouble to word a question in a way that makes sense, why bother asking it in the first place?

$_POST (there is an underscore in there) is where PHP holds the values POSTed from a form, so that your script can get to them. If you are running an old version of PHP and/or you have register_globals turned on, then the first two statements are redundant. However, having register_globals on is a major security risk!

 

The "best practice" is to run with register_globals off and do something like this:

 

$apples = (isset($_POST['apples']) ? $_POST['apples'] : '');
$donuts = (isset($_POST['donuts']) ? $_POST['donuts'] : '');

/* Verify that the values for "apples" and "donuts" are valid 
    (whatever "valid" means to your application) */

// Prepare for SQL (assuming mysql here)
$apples = mysql_real_escape_string($apples);
$donuts = mysql_real_escape_string($donuts);

$sql = "INSERT INTO myTable (appleColumn, donutColumn) VALUES ('$apples', '$donuts')";

 

I have over-simplified that example. The point is, Test to see if the values were provided; Validate the values to be sure the are acceptable; Sanitize the data to prevent SQL injection attacks; Build the SQL statement separately (to make debugging simpler); Send it to the database (not shown in the example).

 

Thank you DAVID!

 

Over-simplification EXPLAINS things perfectly; especially to those of us who might not truly realize WHAT were ASKING or WHY others think it's a problem.

 

Now I not only got my answer, but ALSO understand the importance of the sections. 

 

PS: can you elaborate on the ISSET.  I know it's the brief version of an IF, but it's caused me problems in the past.  I have SANITATIoN and VALIDATION on my input fields, and the rest are dropdown menus. 

 

Is there a way to put the "mysql_real_escape_string" is a loop to cover all the variables, or do they need to be sanitized individually?

$var = (if 1 = 1 ? do this : else do this);

 

Three sections, the if part is the "condition". The "do this" part is the action to be carried out of the condition is true. The "else do this" is the action to be carried out if the conditions is false.

Is there a way to put the "mysql_real_escape_string" is a loop to cover all the variables, or do they need to be sanitized individually?

 

I've used variable variables:

$dataentries = array( 'apples', 'donuts' );
foreach( $dataentries AS $value ) {
    $$value = isset( $_POST[ $value ] ) ? $_POST[ $value ] : '';
    $$value = mysql_real_escape_string($$value);
}

The isset call returns true if the variable is defined (has been "set" to a value), and returns false if it has not. The following would accomplish about the same thing, but it would throw an error (actually, a NOTICE) about referencing an undefined variable (or, in this case, an undefined index in the array):

$apples = $_POST['apples'];

 

The ternary operator condition ? trueExpression : falseExpression; is a shortcut for an if ... else ...

 

if (isset($_POST['apples'])) {
    $apples = $_POST['apples'];
} else {
    $apples = '';
}

// is exactly the same as 

$apples = (isset($_POST['apples']) ? $_POST['apples'] : '');

 

 

Don't start thinking that your dropdown menu values (<SELECT> fields) are safe. They can be very easily hacked to send you a value you are not expecting. If you use the value directly from the POST array, you must validate and/or sanitize.

 

 

I don't sanitize my variables until I put them in an SQL statement. Consider:

 

// Values from the form
$_POST['apples'] = "I'm here";
$_POST['donuts'] = "What's a \ for?";

// Quick and dirty sanitize
$fromUser = array_map('mysql_real_escape_string', $_POST);

// Now I want to display what the user typed
print "Apples: " . $fromUser['apples'] . "<BR>";
print "Donuts: " . $fromUser['donuts'] . "<BR>";

 

The output displayed by those statements will be:

 

Apples: I\'m here
Donuts: What\'s a \\ for?

 

mysql_real_escape_string() puts backslashes in to protect the database. The database knows to treat these backslashes in a special way. But to the browser, they are just characters to be displayed. This is why I don't "escape_string" until they go into an SQL statement.

How do I edit the code that "rythemton" mentioned if I'm not writing an array.

All the data is coming from a form.

I seem to get into trouble whenever there are ARRAYS that are ITEMIZED in the code rather than having values coming from a form or a table.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.