Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 228
  • Last Modified:

URGENT - Simple $_POST question

When submitting data from one page to another, should I use $_POST[fieldname] or just $fieldname to retrieve data?
Up to now I've been using $fieldname and its been working fine, but I'm a bit worried about the security aspects.
My register globals is enabled, are there any security concerns with this?

I read somewhere that using $_POST[fieldname] is a lot more secure than using $fieldname, any truth in this?

 
0
cmdown
Asked:
cmdown
2 Solutions
 
Guy Hengel [angelIII / a3]Billing EngineerCommented:
use $_POST, as $fieldname requires a server setting to be switched on, and you never know when the web admin will turn it of.
0
 
Guy Hengel [angelIII / a3]Billing EngineerCommented:
ps: it is also clearer when reading the code where the data comes from... will save you (or someone else) a lot of investigation time when read the code 2 weeks later...
0
 
syrmaCommented:

yes, there are security issues with register_globals turned on, that's why it's recommended even if you have full control over the server, to turn them off, and use $_POST[$fieldname] instead.
Besided code readability, that's also better for clear namespace and variable scope.

register_globals turnes on can lead to "unexpected behaviour of PHP applications, which can lead to execution of remote PHP code in many situations".

Here is more info for this problem:

http://www.hardened-php.net/advisory_202005.79.html

cheers
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
scrathcyboyCommented:
POSTing from an HTML form to PHP creates the dreaded message everyone hates -

"this page has POSTDATA which may not be refreshed... etc"  This is big user annoyance.

If POSTing from HTML to PHP, recommend you us GET function in stead.  Still correct URL encoding, almost same as POST, certainly same security -- but no annoying USER message.  Helps?
0
 
cmdownAuthor Commented:
Thanks for the help everyone. One last thing, is it simply ok for me to get the $_POST value and assign it to a variable just once, rather than having to use $_POST each time I need the field.

E.g.

$fieldname = $_POST[fieldname] just once at the top of the php page

rather than having to use $_POST[fieldname] everytime I need to use  fieldname.(Hope that makes sense!)

I already have lots of pages, but I failed to use $_POST. Looks like I'll have to go back and change every single page.
0
 
syrmaCommented:
it's perfectly ok to assign the $_POST value to a variable;

$fieldname = $_POST[fieldname];

You can even perform some additional checks at this point, depends from the value you have:
$fieldname = intval($_POST[fieldname]);
$fieldname = strval($_POST[fieldname]);

or set some default values:

$fieldname = (strval($_POST[fieldname])=="")?'default':strval($_POST[fieldname]);

hope that helps :)
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now