URGENT - Simple $_POST question

Posted on 2006-03-28
Last Modified: 2008-02-26
When submitting data from one page to another, should I use $_POST[fieldname] or just $fieldname to retrieve data?
Up to now I've been using $fieldname and its been working fine, but I'm a bit worried about the security aspects.
My register globals is enabled, are there any security concerns with this?

I read somewhere that using $_POST[fieldname] is a lot more secure than using $fieldname, any truth in this?

Question by:cmdown
    LVL 142

    Accepted Solution

    use $_POST, as $fieldname requires a server setting to be switched on, and you never know when the web admin will turn it of.
    LVL 142

    Expert Comment

    by:Guy Hengel [angelIII / a3]
    ps: it is also clearer when reading the code where the data comes from... will save you (or someone else) a lot of investigation time when read the code 2 weeks later...
    LVL 2

    Expert Comment


    yes, there are security issues with register_globals turned on, that's why it's recommended even if you have full control over the server, to turn them off, and use $_POST[$fieldname] instead.
    Besided code readability, that's also better for clear namespace and variable scope.

    register_globals turnes on can lead to "unexpected behaviour of PHP applications, which can lead to execution of remote PHP code in many situations".

    Here is more info for this problem:

    LVL 44

    Expert Comment

    POSTing from an HTML form to PHP creates the dreaded message everyone hates -

    "this page has POSTDATA which may not be refreshed... etc"  This is big user annoyance.

    If POSTing from HTML to PHP, recommend you us GET function in stead.  Still correct URL encoding, almost same as POST, certainly same security -- but no annoying USER message.  Helps?
    LVL 1

    Author Comment

    Thanks for the help everyone. One last thing, is it simply ok for me to get the $_POST value and assign it to a variable just once, rather than having to use $_POST each time I need the field.


    $fieldname = $_POST[fieldname] just once at the top of the php page

    rather than having to use $_POST[fieldname] everytime I need to use  fieldname.(Hope that makes sense!)

    I already have lots of pages, but I failed to use $_POST. Looks like I'll have to go back and change every single page.
    LVL 2

    Assisted Solution

    it's perfectly ok to assign the $_POST value to a variable;

    $fieldname = $_POST[fieldname];

    You can even perform some additional checks at this point, depends from the value you have:
    $fieldname = intval($_POST[fieldname]);
    $fieldname = strval($_POST[fieldname]);

    or set some default values:

    $fieldname = (strval($_POST[fieldname])=="")?'default':strval($_POST[fieldname]);

    hope that helps :)

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Join & Write a Comment

    The Client Need Led Us to RSS I recently had an investment company ask me how they might notify their constituents about their newsworthy publications.  Probably you would think "Facebook" or "Twitter" but this is an interesting client.  Their cons…
    Author Note: Since this E-E article was originally written, years ago, formal testing has come into common use in the world of PHP.  PHPUnit ( and similar technologies have enjoyed wide adoption, making it possib…
    Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
    The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    21 Experts available now in Live!

    Get 1:1 Help Now