URGENT - Simple $_POST question

When submitting data from one page to another, should I use $_POST[fieldname] or just $fieldname to retrieve data?
Up to now I've been using $fieldname and its been working fine, but I'm a bit worried about the security aspects.
My register globals is enabled, are there any security concerns with this?

I read somewhere that using $_POST[fieldname] is a lot more secure than using $fieldname, any truth in this?

 
LVL 1
cmdownAsked:
Who is Participating?
 
Guy Hengel [angelIII / a3]Billing EngineerCommented:
use $_POST, as $fieldname requires a server setting to be switched on, and you never know when the web admin will turn it of.
0
 
Guy Hengel [angelIII / a3]Billing EngineerCommented:
ps: it is also clearer when reading the code where the data comes from... will save you (or someone else) a lot of investigation time when read the code 2 weeks later...
0
 
syrmaCommented:

yes, there are security issues with register_globals turned on, that's why it's recommended even if you have full control over the server, to turn them off, and use $_POST[$fieldname] instead.
Besided code readability, that's also better for clear namespace and variable scope.

register_globals turnes on can lead to "unexpected behaviour of PHP applications, which can lead to execution of remote PHP code in many situations".

Here is more info for this problem:

http://www.hardened-php.net/advisory_202005.79.html

cheers
0
Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
scrathcyboyCommented:
POSTing from an HTML form to PHP creates the dreaded message everyone hates -

"this page has POSTDATA which may not be refreshed... etc"  This is big user annoyance.

If POSTing from HTML to PHP, recommend you us GET function in stead.  Still correct URL encoding, almost same as POST, certainly same security -- but no annoying USER message.  Helps?
0
 
cmdownAuthor Commented:
Thanks for the help everyone. One last thing, is it simply ok for me to get the $_POST value and assign it to a variable just once, rather than having to use $_POST each time I need the field.

E.g.

$fieldname = $_POST[fieldname] just once at the top of the php page

rather than having to use $_POST[fieldname] everytime I need to use  fieldname.(Hope that makes sense!)

I already have lots of pages, but I failed to use $_POST. Looks like I'll have to go back and change every single page.
0
 
syrmaCommented:
it's perfectly ok to assign the $_POST value to a variable;

$fieldname = $_POST[fieldname];

You can even perform some additional checks at this point, depends from the value you have:
$fieldname = intval($_POST[fieldname]);
$fieldname = strval($_POST[fieldname]);

or set some default values:

$fieldname = (strval($_POST[fieldname])=="")?'default':strval($_POST[fieldname]);

hope that helps :)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.