SitePoint Sponsor

User Tag List

Results 1 to 13 of 13
  1. #1
    Non-Member
    Join Date
    Aug 2012
    Posts
    4
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Angry why use $_POST['something'] ? while we can use $something ??

    I'm a beginner in php.
    i noticed that a lot of codes (actually all of them)
    use
    $_POST['something']
    to get something form the $_POST array
    while i simply use this method
    $something
    i know it's minor stuff and doesn't actually matters..
    but it keeps confusing me whether i should use this or that.. and some times (when I'm really confused) i use them both!!
    so i just want to know the proper way of this.. and why?

  2. #2
    Hosting Team Leader silver trophybronze trophy
    cpradio's Avatar
    Join Date
    Jun 2002
    Location
    Ohio
    Posts
    5,122
    Mentioned
    152 Post(s)
    Tagged
    0 Thread(s)
    $_POST['something'] is the preferred way (same with using $_GET or $_REQUEST)
    $something will only work if register_globals is enabled/turned on and on most environments, this is turned off because it is unsafe.

    Register Globals is actually removed from PHP 5.4.0 so your method will no longer work on that version

  3. #3
    Non-Member
    Join Date
    Sep 2012
    Posts
    3
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Anna.K View Post
    I'm a beginner in php.
    i noticed that a lot of codes (actually all of them)
    use
    $_POST['something']
    to get something form the $_POST array
    while i simply use this method
    $something
    i know it's minor stuff and doesn't actually matters..
    but it keeps confusing me whether i should use this or that.. and some times (when I'm really confused) i use them both!!
    so i just want to know the proper way of this.. and why?
    If register_globals is turned off then $something will not work. But I dont use $_POST['something'] or $_GET['something'], because it requires a little bit more thinking whether you are posting it or requesting it and a bit more typing effort and hence a waste of time.

    I simply write at the top of the php code the following:

    foreach($_GET AS $key => $value) {
    ${$key} = $value;
    }
    foreach($_POST AS $key => $value) {
    ${$key} = $value;
    }


    That fixes the register_globals issue and then you can use $something without any issue, whether register_globals is turned on or off and on all PHP versions.

  4. #4
    Non-Member
    Join Date
    Oct 2007
    Posts
    363
    Mentioned
    11 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by nextpr View Post
    If register_globals is turned off then $something will not work. But I dont use $_POST['something'] or $_GET['something'], because it requires a little bit more thinking whether you are posting it or requesting it and a bit more typing effort and hence a waste of time.

    I simply write at the top of the php code the following:

    foreach($_GET AS $key => $value) {
    ${$key} = $value;
    }
    foreach($_POST AS $key => $value) {
    ${$key} = $value;
    }


    That fixes the register_globals issue and then you can use $something without any issue, whether register_globals is turned on or off and on all PHP versions.
    This doesn't "fix" the issue - it brings back the register globals security problems once again. This is an awful idea and you should stop doing it at all costs.

    It is a GOOD practice to explicitly call the $_POST[''] variables you wish to use as it means you maintain strict control over the data flowing into and out of your application. You are doing it wrong.

  5. #5
    PHP Guru lampcms.com's Avatar
    Join Date
    Jan 2009
    Posts
    921
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by nextpr View Post
    If register_globals is turned off then $something will not work. But I dont use $_POST['something'] or $_GET['something'], because it requires a little bit more thinking whether you are posting it or requesting it and a bit more typing effort and hence a waste of time.

    I simply write at the top of the php code the following:

    foreach($_GET AS $key => $value) {
    ${$key} = $value;
    }
    foreach($_POST AS $key => $value) {
    ${$key} = $value;
    }


    That fixes the register_globals issue and then you can use $something without any issue, whether register_globals is turned on or off and on all PHP versions.

    Nice one!
    What if someone sends a request like yoursite.php?_SESSION=blah
    What do you think will happen to your $_SESSION after you run you "fixing global variables" code?
    My project: Open source Q&A
    (similar to StackOverflow)
    powered by php+MongoDB
    Source on github, collaborators welcome!

  6. #6
    Non-Member
    Join Date
    Oct 2007
    Posts
    363
    Mentioned
    11 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by lampcms.com View Post
    Nice one!
    What if someone sends a request like yoursite.php?_SESSION=blah
    What do you think will happen to your $_SESSION after you run you "fixing global variables" code?
    Exactly... This is just asking for trouble. Register globals was removed for a very good reason.

    It also makes your code almost impossible to debug. I had to debug some code that was written using register globals a while back, and it was a total nightmare. In the middle of a (few thousand line btw) script, I'd have variables appearing literally from nowhere. How am I supposed to know what $exisLS or something with an equally obscure name is? How should I know where it comes from if register globals is turned on? It could be coming from some random page somewhere that has an ?exisLS=asdadad link on the get request, or it could be coming from some other script, or perhaps initialised some way on the page itself in some obscure piece of code I've not found... Horrible, insecure, awful stuff.

    Don't do it. Just don't be lazy and get used to explicitly calling the $_POST[] and $_GET[] variables. It's for the best in the long run.

  7. #7
    SitePoint Guru bronze trophy
    Join Date
    Dec 2003
    Location
    Poland
    Posts
    930
    Mentioned
    7 Post(s)
    Tagged
    0 Thread(s)
    Very good advice from other members here, I can add that I would advise you to turn off register_globals in php.ini on your development php installation (and on production also if possible) so that you will NOT be able to use $something instead of $_POST['something'] - this will make you code in the proper way from the start.

    What nextpr suggests can be also achieved with extract() function, which will extract all array values to local variables - don't do it and don't use it unless you have very good reason to, which is very rare in practice. And this not only applies to $_POST and $_GET but also to other arrays you may be using. If you have an array with data don't extract all the values to access them by direct variables - access them through the original array. For example, instead of:
    PHP Code:
    // fetch a row of data from database into array
    $row mysqli_fetch_assoc($db$result);
    extract($row);

    // unit_price and quantity are fields fetched from db
    $ext_price $unit_price $quantity
    do this, which is much more descriptive:
    PHP Code:
    // fetch a row of data from database into array
    $product mysqli_fetch_assoc($db$result);

    // unit_price and quantity are fields fetched from db
    $ext_price $product['unit_price'] * $product['quantity']; 
    I was also guilty of using the former method in all of my code a few years ago and trying to understand what's going on after more than a week later is a nightmare. The few seconds you will lose now on typing a few more characters will save you headaches when you look at your code a few months later.

  8. #8
    Non-Member
    Join Date
    Aug 2012
    Posts
    4
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    that's what i love about this discussion board.. really experts..
    thanks guys.. i'll keep this in mind

  9. #9
    Non-Member
    Join Date
    Sep 2012
    Posts
    3
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I have been doing this for years in all my php codes.

  10. #10
    From Italy with love silver trophybronze trophy
    guido2004's Avatar
    Join Date
    Sep 2004
    Posts
    9,496
    Mentioned
    163 Post(s)
    Tagged
    4 Thread(s)
    Quote Originally Posted by nextpr View Post
    I have been doing this for years in all my php codes.
    It's never too late to learn and improve the way you code

  11. #11
    Keeper of the SFL StarLion's Avatar
    Join Date
    Feb 2006
    Location
    Atlanta, GA, USA
    Posts
    3,748
    Mentioned
    71 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by lampcms.com View Post
    Nice one!
    What if someone sends a request like yoursite.php?_SESSION=blah
    What do you think will happen to your $_SESSION after you run you "fixing global variables" code?
    index.php?login=1;DROP%20TABLE%20users;

    i'm sorry, what table?
    Never grow up. The instant you do, you lose all ability to imagine great things, for fear of reality crashing in.

  12. #12
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,810
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    The content of $_POST, $_GET etc are what are known as tainted data - you don't know if the fields contain usable data until you validate them. Validating them means that you both avoid security issues and also avoid filling your database with junk.

    When register globals was allowed to be turned on then all the data in your script would be tainted data as you'd have no way to tell if someone passed in a value for a field that the script used that wasn't intended to be passed in. You validate for only accepting expected fields by turning off register globals - PHP 4.2 provided a partial fix for this by defaulting to off rather than defaulting to on and the latest version has plugged this massive security hole completely by doing away with register globals completely.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  13. #13
    SitePoint Wizard bronze trophy
    Join Date
    Jul 2006
    Location
    Augusta, Georgia, United States
    Posts
    4,147
    Mentioned
    16 Post(s)
    Tagged
    3 Thread(s)
    Quote Originally Posted by nextpr
    If register_globals is turned off then $something will not work. But I dont use $_POST['something'] or $_GET['something'], because it requires a little bit more thinking whether you are posting it or requesting it and a bit more typing effort and hence a waste of time.

    I simply write at the top of the php code the following:

    foreach($_GET AS $key => $value) {
    ${$key} = $value;
    }
    foreach($_POST AS $key => $value) {
    ${$key} = $value;
    }


    That fixes the register_globals issue and then you can use $something without any issue, whether register_globals is turned on or off and on all PHP versions.
    That is the register global problem – just wow.

    Quote Originally Posted by nextpr
    I have been doing this for years in all my php codes.
    The fact that you are standing by it is even more astonishing… #smh

    What sites have you created? – we would be happy to demonstrate first hand the security implications.
    The only code I hate more than my own is everyone else's.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •