URGENT - Simple $_POST question

When submitting data from one page to another, should I use $_POST[fieldname] or just $fieldname to retrieve data?
Up to now I've been using $fieldname and its been working fine, but I'm a bit worried about the security aspects.
My register globals is enabled, are there any security concerns with this?

I read somewhere that using $_POST[fieldname] is a lot more secure than using $fieldname, any truth in this?

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Guy Hengel [angelIII / a3]Billing EngineerCommented:
use $_POST, as $fieldname requires a server setting to be switched on, and you never know when the web admin will turn it of.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Guy Hengel [angelIII / a3]Billing EngineerCommented:
ps: it is also clearer when reading the code where the data comes from... will save you (or someone else) a lot of investigation time when read the code 2 weeks later...

yes, there are security issues with register_globals turned on, that's why it's recommended even if you have full control over the server, to turn them off, and use $_POST[$fieldname] instead.
Besided code readability, that's also better for clear namespace and variable scope.

register_globals turnes on can lead to "unexpected behaviour of PHP applications, which can lead to execution of remote PHP code in many situations".

Here is more info for this problem:


Learn SQL Server Core 2016

This course will introduce you to SQL Server Core 2016, as well as teach you about SSMS, data tools, installation, server configuration, using Management Studio, and writing and executing queries.

POSTing from an HTML form to PHP creates the dreaded message everyone hates -

"this page has POSTDATA which may not be refreshed... etc"  This is big user annoyance.

If POSTing from HTML to PHP, recommend you us GET function in stead.  Still correct URL encoding, almost same as POST, certainly same security -- but no annoying USER message.  Helps?
cmdownAuthor Commented:
Thanks for the help everyone. One last thing, is it simply ok for me to get the $_POST value and assign it to a variable just once, rather than having to use $_POST each time I need the field.


$fieldname = $_POST[fieldname] just once at the top of the php page

rather than having to use $_POST[fieldname] everytime I need to use  fieldname.(Hope that makes sense!)

I already have lots of pages, but I failed to use $_POST. Looks like I'll have to go back and change every single page.
it's perfectly ok to assign the $_POST value to a variable;

$fieldname = $_POST[fieldname];

You can even perform some additional checks at this point, depends from the value you have:
$fieldname = intval($_POST[fieldname]);
$fieldname = strval($_POST[fieldname]);

or set some default values:

$fieldname = (strval($_POST[fieldname])=="")?'default':strval($_POST[fieldname]);

hope that helps :)
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.