Solved

Using  $_POST like a regular variable

Posted on 2014-09-24
4
262 Views
Last Modified: 2014-09-24
If I use $_POST variables like  regular variables (see below), does this create a problem?

1. Performance problem?
2. Security problem?
$_POST['filter'.$z]="CF".$z.".FIELDID=".$_POST['filter'.$z];

Open in new window

0
Comment
Question by:myyis
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 110

Assisted Solution

by:Ray Paseur
Ray Paseur earned 300 total points
ID: 40341365
$_POST is a regular variable.  It contains external data, which is by definition tainted, therefore you want to study and understand the PHP security implications.  There are no performance implications at all.

References:
http://php.net/manual/en/language.variables.superglobals.php
http://php.net/manual/en/reserved.variables.post.php
http://php.net/manual/en/language.variables.external.php
0
 
LVL 110

Expert Comment

by:Ray Paseur
ID: 40341676
But that said, now that I look at your code sample, you might want to consider a design change.  Instead of re-using the $_POST array for this, consider using an array with a different name, such as $safe_post.  I believe this will lead to less confusion about the contents of your variables.
0
 
LVL 83

Accepted Solution

by:
Dave Baldwin earned 200 total points
ID: 40341763
On all my many PHP form processing pages, I Never use the $_POST variables directly except for checking them and assigning them to 'regular' variables.  If you use $_POST directly, when things like checkboxes do not have values if they are not checked, you get an "undefined index" error.  All my $_POST data gets at least this processing to eliminate the "undefined index" error.
if (!isset($_POST['fname'])){$fname = "";} else {$fname = $_POST['fname'];}

Open in new window

0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 40341834
yup. $_POST is unfiltered user input, and can contain ANYTHING - best not to trust, but sanitize appropriately before use :)
0

Featured Post

Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
This article investigates the question of whether a computer can really be cleaned once it has been infected, and what the best ways of cleaning a computer might be (in this author's opinion).
The viewer will learn how to count occurrences of each item in an array.
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question