SitePoint Sponsor

User Tag List

Page 1 of 2 12 LastLast
Results 1 to 25 of 34
  1. #1
    gimme the uuuuuuuuuuu duuudie's Avatar
    Join Date
    Feb 2004
    Location
    Switzerland
    Posts
    2,253
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    $_POST['data'] or $_POST["data"]? What is the best syntax?

    Hi

    I have noticed two ways of writing the following code:

    $_POST['data'] or $_POST["data"]?

    What is the difference? Which one is the best?

    thanks a lot for your advice, your help and your patience with me

  2. #2
    SitePoint Enthusiast Zero G's Avatar
    Join Date
    Jun 2002
    Location
    Ohio
    Posts
    63
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    The only difference is that if magic_quotes are on php will evaluate the content of the string in the second one and replace any variables in it.

    I prefer to use

    $_POST['data'];

  3. #3
    gimme the uuuuuuuuuuu duuudie's Avatar
    Join Date
    Feb 2004
    Location
    Switzerland
    Posts
    2,253
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    thanks for the reply zeroG.

    What do you exactly call magic_quote? Why would use them for in a real life example?


  4. #4
    SitePoint Zealot scriptfactory's Avatar
    Join Date
    Oct 2003
    Location
    Kaiserslautern, Germany
    Posts
    136
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    "magic quotes" are an option in PHP to automatically add slashes to all of the quotes, backslashes and NULs in $_GET, $_COOKIE, and $_POST data. This option is set in your php.ini, .htaccess, etc. files.

    Example: You can't enter a string like "Oh', Mr. O'reilly!" into the database unless you run addslashes() on it or htmlentities(). I prefer htmlentities because I work with a lot of forms that need to input HTML into my database and addslashes doesn't work all that well for HTML.

  5. #5
    gimme the uuuuuuuuuuu duuudie's Avatar
    Join Date
    Feb 2004
    Location
    Switzerland
    Posts
    2,253
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I see... thanks for the reply.

    So let's consider the following code:
    PHP Code:
    $titlepost $_POST["title"]; 
    $textpost $_POST["text"];

    $sql = @mysql_query(
     
    "INSERT INTO links (title
     , text) 
     VALUES ('
    $titlepost'
     , '
    $textpost')"); 
    echo 
    mysql_error(); 
    and let's say that my $titlepost and $textpost vars have value such as

    $titlepost: 'Hi' bob's here.
    $textpost: 'join'

    Might a problem occur with this code as it is now?


  6. #6
    ********* Member website's Avatar
    Join Date
    Oct 2002
    Location
    Iceland
    Posts
    1,238
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    yes.
    Addslashes() should work to escape anything, I wouldn't use htmlentities because I don't know if I am printing the data to web page or perhaps sending it in plain text email, then html entities would make the email unreadable. I tend to avoid modifying the user input until I actually print it out, that way I have it in the database exactly as the user wanted it and I can then parse it before anyone sees as I want...
    - website

  7. #7
    Non-Member
    Join Date
    Jan 2004
    Location
    Planet Earth
    Posts
    1,764
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Would very rarely use double quotes since it's a lot slower for PHP to parse

    Stick to single quotes when ever you can IMO

  8. #8
    SitePoint Evangelist
    Join Date
    Feb 2004
    Location
    Sofia, Bulgaria
    Posts
    421
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    totally agree with Widow Maker.. use single quotes always when you don't have variables in the string or single quotes that are part of the string.. PHP parses everything that is in double quotes and it's slower as Widow Maker mentioned.. i use double quotes only for SQL queries and strings that contain single quotes.. for all other cases i prefer single quotes..

  9. #9
    SitePoint Wizard
    Join Date
    Oct 2001
    Location
    Tucson, Arizona
    Posts
    1,858
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Zero G
    The only difference is that if magic_quotes are on php will evaluate the content of the string in the second one and replace any variables in it.
    That's not true. The magic_quotes_gpc directive has no bearing on PHP's string interpolation features. Read up:
    Quote Originally Posted by http://us3.php.net/manual/en/ref.info.php#ini.magic-quotes-gpc
    When magic_quotes are on, all ' (single-quote), " (double quote), \ (backslash) and NUL's are escaped with a backslash automatically.

  10. #10
    gimme the uuuuuuuuuuu duuudie's Avatar
    Join Date
    Feb 2004
    Location
    Switzerland
    Posts
    2,253
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Ok so if I want to record a text containing single quotes, I should use the magic quotes right?

    Weird thing is: I have already recorded such texts and I have no problem doing it. Where would the problem come from then?


  11. #11
    SitePoint Wizard
    Join Date
    Oct 2001
    Location
    Tucson, Arizona
    Posts
    1,858
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by duuudie
    Ok so if I want to record a text containing single quotes, I should use the magic quotes right?
    No, my point was that "magic quotes" aren't something you do or use. magic_quotes_gpc is just a directive (a setting) in the php.ini file. You can, however, include single quotes unescaped inside double quotes, if that's what you're asking.

  12. #12
    SitePoint Member
    Join Date
    Apr 2004
    Location
    USA
    Posts
    14
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Also keep in mind that if you're embedding it within another quote, you might have string problems. In general I use $_POST['field'] as I default to single quotes unless I need double quotes.

  13. #13
    gimme the uuuuuuuuuuu duuudie's Avatar
    Join Date
    Feb 2004
    Location
    Switzerland
    Posts
    2,253
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Ok but if there is a problem, something will notify me the problem right?

    So my above example is a bad practice right?


  14. #14
    Non-Member
    Join Date
    Jan 2004
    Location
    Planet Earth
    Posts
    1,764
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    This is how I do it, and it works everytime. Proberly the best method of building a query string without using escape characters as well

    PHP Code:
    ...
    $sql = @mysql_query
    "INSERT INTO links (title 
    , text) 
    VALUES ('"
    .$titlepost."' 
    , '"
    .$textpost."')"); 
    ... 
    Enjoy

  15. #15
    SitePoint Zealot
    Join Date
    Mar 2004
    Location
    New Jersey
    Posts
    140
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Widow Maker: personally, I use sprintf(). IMO, it's much cleaner.

    PHP Code:
     /* sample code, whitespace removed */
      
    $query sprintf("INSERT INTO links(title, text) VALUES('%s', '%s')"$titlepost$textpost); 

  16. #16
    SitePoint Guru
    Join Date
    Feb 2004
    Location
    Oregon
    Posts
    686
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Widow Maker
    Would very rarely use double quotes since it's a lot slower for PHP to parse

    Stick to single quotes when ever you can IMO
    bah, not anymore. there is not a big difference between the two. unless you like counting nano seconds then go for it, personally I don't worry about it. the only difference is the variables in single quotes. other than that they are the same.

    don't rely on the server to add that quote
    PHP Code:
    $titlepost addslashes($_POST["title"]); 
    $textpost addslashes($_POST["text"]); 

    $sql = @mysql_query
    "INSERT INTO links (title 
    , text) 
    VALUES ('
    $titlepost
    , '
    $textpost')"); 
    echo 
    mysql_error(); 
    always safer to addslahes to any form input. just in case somebody finds the form and desides to use some SQL injection.
    success is not by chance, it is by choice.

  17. #17
    Ceci n'est pas Zoef Zoef's Avatar
    Join Date
    Nov 2002
    Location
    Malta
    Posts
    1,111
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    BAD BAD BAD!
    Quote Originally Posted by Sahajin
    PHP Code:
    $titlepost addslashes($_POST["title"]); 
    $textpost addslashes($_POST["text"]); 

    $sql = @mysql_query
    "INSERT INTO links (title 
    , text) 
    VALUES ('
    $titlepost
    , '
    $textpost')"); 
    echo 
    mysql_error(); 
    always safer to addslahes to any form input. just in case somebody finds the form and desides to use some SQL injection.
    Only addslashes when you know magic_quotes_gpc is off.

    More info:
    http://www.sitepoint.com/forums/showthread.php?t=54074 (required reading )

    Rik
    English tea - Italian coffee - Maltese wine - Belgian beer - French Cognac

  18. #18
    SitePoint Guru
    Join Date
    Feb 2004
    Location
    Oregon
    Posts
    686
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    bah, I have been using it for years with no side effects. even if magic_quotes on. that is why stripslashes are for if you need to output the resluts. and yes I have read that.
    success is not by chance, it is by choice.

  19. #19
    gimme the uuuuuuuuuuu duuudie's Avatar
    Join Date
    Feb 2004
    Location
    Switzerland
    Posts
    2,253
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks for the link Rik, bookmarked

    I guess it will take me some time to get used to it all and to full yunderstand some security issues.

    More advice, explanations are still more than welcome

  20. #20
    Non-Member
    Join Date
    Jan 2004
    Location
    Planet Earth
    Posts
    1,764
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I have been using it for years with no side effects.
    What ?? addslashes() without checking your ini settings ? What a prat

  21. #21
    SitePoint Guru
    Join Date
    Feb 2004
    Location
    Oregon
    Posts
    686
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    yes I check my settings, magic quotes are on and still no side effects.

    and you will find in a LOT of prewritten programs use addslashes without checking for magic_quotes. don't get me wrong, that article is a good thing to adhere, but I haven't had any problems and many people do it.
    success is not by chance, it is by choice.

  22. #22
    ********* Member website's Avatar
    Join Date
    Oct 2002
    Location
    Iceland
    Posts
    1,238
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I just had to reply to this...

    It really is bad to assume magic_quotes to be on. Better is to assume it off and the best would ofcourse be to check if it is on and then take necessary measures.
    Imagine the following examples:
    1. A site is programmed assuming magic_quotes is on and it is not. If user inputs eg single quote in a query that could result in php error.
    2. Site is programmed assuming magic_quotes is off and uses addslashes on all input. If user inputs string with single quote a backslash will be placed before it and therefor user input will not be as desired.

    On top of that a general rule is to store all user input as it is in the database. Doing stripslashes afterwards is really bad pratice.

    Hope I've convinced someone...
    - website

  23. #23
    Ceci n'est pas Zoef Zoef's Avatar
    Join Date
    Nov 2002
    Location
    Malta
    Posts
    1,111
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Sahajin
    yes I check my settings, magic quotes are on and still no side effects.
    Poor analogie but here it goes... You can leave your front door open for years on end and not be burgled... but do you?
    Quote Originally Posted by Sahajin
    and you will find in a LOT of prewritten programs use addslashes without checking for magic_quotes.
    The amount of really lousy code out there is indeed astounding. Even with so called 'profesional' software. We are talking security and best practise here, not "what just works".

    It al comes down to knowing what you are doing. If you leave magic_quotes_gpc on then realise that (back)slashes will be added to every GET, POST and COOKIE variable. If you are echoing one of these variables back to the screen(that in itself also has its risks btw, but that's another story), the slashes will also be echo'd. And if you have data coming from another source (like another db table) you'll still have to use addslashes, mysql_escape_string or simular.

    Using stripslashes is generally a bad idea. What if your data contains '\', '\\', or '\\\'. What will happen if you first let magic_quotes_gpc add some slashes and then you strip them? How many slashes will be stripped? I don't even want to think about it!

    This is what I do:

    Simple, effective, and I know what I'm doing.

    Further reading on security and Php: http://www.sklar.com/page/article/owasp-top-ten

    Rik
    English tea - Italian coffee - Maltese wine - Belgian beer - French Cognac

  24. #24
    SitePoint Guru
    Join Date
    Feb 2004
    Location
    Oregon
    Posts
    686
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    ok, so what if magic_quotes are on, then you echo text from a database that has a \'. what takes that slash away if you echo it to the screen?
    success is not by chance, it is by choice.

  25. #25
    ********* Member website's Avatar
    Join Date
    Oct 2002
    Location
    Iceland
    Posts
    1,238
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    if you echo something from a database it prints out exactly as it is in the database (except if there is some html in it)....
    what really is important is to get the data into the database exactly as the user placed it into the form.
    I mean, what if you wrote an actual program that contacts the database and gets the data. Then you wouldn't want to need to use some kind of stripslashes() function in that programming language...

    After all this isn't very complicated. As zoef said, turn magic_quotes off, use mysql_escape_string (or addslashes()) on everything that goes into the database and then you are pretty safe...
    - website


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •