We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you a podcast all about Citrix Workspace, moving to the cloud, and analytics & intelligence. Episode 2 coming soon!Listen Now

x

URGENT - Simple $_POST question

cmdown
cmdown asked
on
Medium Priority
259 Views
Last Modified: 2008-02-26
When submitting data from one page to another, should I use $_POST[fieldname] or just $fieldname to retrieve data?
Up to now I've been using $fieldname and its been working fine, but I'm a bit worried about the security aspects.
My register globals is enabled, are there any security concerns with this?

I read somewhere that using $_POST[fieldname] is a lot more secure than using $fieldname, any truth in this?

 
Comment
Watch Question

Billing Engineer
CERTIFIED EXPERT
Most Valuable Expert 2014
Top Expert 2009
Commented:
use $_POST, as $fieldname requires a server setting to be switched on, and you never know when the web admin will turn it of.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Guy Hengel [angelIII / a3]Billing Engineer
CERTIFIED EXPERT
Most Valuable Expert 2014
Top Expert 2009

Commented:
ps: it is also clearer when reading the code where the data comes from... will save you (or someone else) a lot of investigation time when read the code 2 weeks later...

Commented:

yes, there are security issues with register_globals turned on, that's why it's recommended even if you have full control over the server, to turn them off, and use $_POST[$fieldname] instead.
Besided code readability, that's also better for clear namespace and variable scope.

register_globals turnes on can lead to "unexpected behaviour of PHP applications, which can lead to execution of remote PHP code in many situations".

Here is more info for this problem:

http://www.hardened-php.net/advisory_202005.79.html

cheers
POSTing from an HTML form to PHP creates the dreaded message everyone hates -

"this page has POSTDATA which may not be refreshed... etc"  This is big user annoyance.

If POSTing from HTML to PHP, recommend you us GET function in stead.  Still correct URL encoding, almost same as POST, certainly same security -- but no annoying USER message.  Helps?

Author

Commented:
Thanks for the help everyone. One last thing, is it simply ok for me to get the $_POST value and assign it to a variable just once, rather than having to use $_POST each time I need the field.

E.g.

$fieldname = $_POST[fieldname] just once at the top of the php page

rather than having to use $_POST[fieldname] everytime I need to use  fieldname.(Hope that makes sense!)

I already have lots of pages, but I failed to use $_POST. Looks like I'll have to go back and change every single page.
Commented:
it's perfectly ok to assign the $_POST value to a variable;

$fieldname = $_POST[fieldname];

You can even perform some additional checks at this point, depends from the value you have:
$fieldname = intval($_POST[fieldname]);
$fieldname = strval($_POST[fieldname]);

or set some default values:

$fieldname = (strval($_POST[fieldname])=="")?'default':strval($_POST[fieldname]);

hope that helps :)
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.