meltingpoint Posted January 13, 2011 Share Posted January 13, 2011 Ok- I have seen it go both ways on this forum and I was wondering which is correct- or more secure. I have a script that receives $_POST variables from a form. Which is better- to change the name of the $_POST variable to do script manipulations or to simple do them with the $_POST['whatever'] $whatever = $_POST['var_from_form']; or simply utilize $_POST['var_from_form'] I know it would be less typing changing it to $whatever, but does it really matter? And yes- register_globals is off. Cheers- Quote Link to comment Share on other sites More sharing options...
Maq Posted January 13, 2011 Share Posted January 13, 2011 If you use the first one you can use a more descriptive variable name. Also, if you define a new variable the POST then you only have to manipulate it one time. For example, if you want to sanitize your POST value you would only have to call mysql_real_escape_string once. If you used the latter example, then you would need to call it every time you wanted to use it. Quote Link to comment Share on other sites More sharing options...
Anti-Moronic Posted January 13, 2011 Share Posted January 13, 2011 Assigning your $_POST values to variables is good practice. As maq said you need to also think about security. You can't simply use $_POST['couldbeanything']; you should use mysql_real_escape_string($_POST['couldbeanything']); Of course, this only matters if you're using the $_POST values and inserting into a database. If not, it is still god practice to validate the input. Even on hidden form elements. *everything* the user enters into your system must be validated or you're open to being compromised/ A simple way of sanitizing all $_POST variables is like this: foreach($_POST as $key => $val){ $cleanPost[$key] = mysql_real_escape_string($val); } Now just use $cleanPost['couldbeanything'] instead of $_POST. You can take that a step further and use an array to exclude/include certain keys, or validate value based on key name (like fname_alphnum, id_int). Quote Link to comment Share on other sites More sharing options...
meltingpoint Posted January 14, 2011 Author Share Posted January 14, 2011 Cool- thanks. Yeah- I always validate user input and have found for certain things it works best to assign $_POST['whatever'] to $name_whatever. But for brevity in most cases I will simply use the $_POST['whatever']. Again- thanks Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.