We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you a podcast all about Citrix Workspace, moving to the cloud, and analytics & intelligence. Episode 2 coming soon!Listen Now


URGENT - Simple $_POST question

cmdown asked
Medium Priority
Last Modified: 2008-02-26
When submitting data from one page to another, should I use $_POST[fieldname] or just $fieldname to retrieve data?
Up to now I've been using $fieldname and its been working fine, but I'm a bit worried about the security aspects.
My register globals is enabled, are there any security concerns with this?

I read somewhere that using $_POST[fieldname] is a lot more secure than using $fieldname, any truth in this?

Watch Question

Billing Engineer
Most Valuable Expert 2014
Top Expert 2009
use $_POST, as $fieldname requires a server setting to be switched on, and you never know when the web admin will turn it of.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Guy Hengel [angelIII / a3]Billing Engineer
Most Valuable Expert 2014
Top Expert 2009

ps: it is also clearer when reading the code where the data comes from... will save you (or someone else) a lot of investigation time when read the code 2 weeks later...


yes, there are security issues with register_globals turned on, that's why it's recommended even if you have full control over the server, to turn them off, and use $_POST[$fieldname] instead.
Besided code readability, that's also better for clear namespace and variable scope.

register_globals turnes on can lead to "unexpected behaviour of PHP applications, which can lead to execution of remote PHP code in many situations".

Here is more info for this problem:


POSTing from an HTML form to PHP creates the dreaded message everyone hates -

"this page has POSTDATA which may not be refreshed... etc"  This is big user annoyance.

If POSTing from HTML to PHP, recommend you us GET function in stead.  Still correct URL encoding, almost same as POST, certainly same security -- but no annoying USER message.  Helps?


Thanks for the help everyone. One last thing, is it simply ok for me to get the $_POST value and assign it to a variable just once, rather than having to use $_POST each time I need the field.


$fieldname = $_POST[fieldname] just once at the top of the php page

rather than having to use $_POST[fieldname] everytime I need to use  fieldname.(Hope that makes sense!)

I already have lots of pages, but I failed to use $_POST. Looks like I'll have to go back and change every single page.
it's perfectly ok to assign the $_POST value to a variable;

$fieldname = $_POST[fieldname];

You can even perform some additional checks at this point, depends from the value you have:
$fieldname = intval($_POST[fieldname]);
$fieldname = strval($_POST[fieldname]);

or set some default values:

$fieldname = (strval($_POST[fieldname])=="")?'default':strval($_POST[fieldname]);

hope that helps :)
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.