$_POST vs $_REQUEST
in [General]
|
From: Slack-Moehrle on 22 Feb 2010 15:39 Hi All, I have Forms that I submit for processing. I have seen examples of people using either $_POST or $_REQUEST. When would I choose one over the other? Also, I see examples of these being used with and without the single quotes Like: $_POST[j_orderValue] or $_POST['j_orderValue'] Single quotes is best, correct to prevent sql injection? -ML
From: Richard on 22 Feb 2010 15:51 Hi, > I have Forms that I submit for processing. I have seen examples of people using either $_POST or $_REQUEST. > > When would I choose one over the other? It's a wise choice to go with $_POST, unless your form is a GET form, in which case use $_GET. $_REQUEST has the potential to open your script(s) up to security issues. > ... Use quoted strings - either single or double quotes. Eg: $myArray['myKey'] $myArray["myKey"] -- Richard Heyes HTML5 canvas graphing: RGraph - http://www.rgraph.net (updated 20th February) Lots of PHP and Javascript code - http://www.phpguru.org
From: shiplu on 22 Feb 2010 15:54 On Tue, Feb 23, 2010 at 2:39 AM, Slack-Moehrle <mailinglists(a)mailnewsrss.com> wrote: > Hi All, > > I have Forms that I submit for processing. I have seen examples of people using either $_POST or $_REQUEST. > > When would I choose one over the other? > > Also, I see examples of these being used with and without the single quotes > > Like: > > $_POST[j_orderValue] > or > $_POST['j_orderValue'] > > Single quotes is best, correct to prevent sql injection? You must use quote. either single or double. It wont affect sql injection. Sanitize your data before using it in any sql. $_REQUEST['var'] means a variable var was passed in http request. $_POST['var'] means a post variable var was passed in http request. A get or cookie variable var2 will set $_REQUEST['var2']. When you are strictly expecting a Post variable 'var3' use $_POST['var3'], not $_REQEUST['var3']. This is because a $_GET['var3'] will make $_REQEUST['var3'] available to you which is not what you want. Correct me if I am wrong. -- Shiplu Mokaddim My talks, http://talk.cmyweb.net Follow me, http://twitter.com/shiplu SUST Programmers, http://groups.google.com/group/p2psust Innovation distinguishes bet ... ... (ask Steve Jobs the rest)
From: Joseph Thayne on 22 Feb 2010 15:55 Richard wrote: > It's a wise choice to go with $_POST, unless your form is a GET form, > in which case use $_GET. $_REQUEST has the potential to open your > script(s) up to security issues. > > I am not sure what the security issues are you are referring to as the $_REQUEST superglobal contains both $_GET and $_POST values. Could you expound on that? Thanks. > Use quoted strings - either single or double quotes. Eg: > > $myArray['myKey'] > $myArray["myKey"] > > To answer your question though, the quotes will not protect you from SQL injection at all. It simply has to do with processing the values.
From: Rene Veerman on 22 Feb 2010 15:59 On Mon, Feb 22, 2010 at 9:39 PM, Slack-Moehrle <mailinglists(a)mailnewsrss.com> wrote: > Hi All, > > I have Forms that I submit for processing. I have seen examples of people using either $_POST or $_REQUEST. > > When would I choose one over the other? I like to be specific and go for $_POST, but some people want flexibility in their code and use $_REQUEST. It's usually no big deal to me. > > Also, I see examples of these being used with and without the single quotes > > Like: > > $_POST[j_orderValue] > or > $_POST['j_orderValue'] i'd expect without quotes to query a define('j_orderValue','??').. and yea, use single quotes whereever possible.. it's my exp that 'bla bla $var da da' is harder to read (in syntax-highlighted source editors) than 'bla bla '.$var.' da da' that's aside from speed improvements, which do add up quickly in high load situations. > Single quotes is best, correct to prevent sql injection? sql injection fixing is an evolving art, but you can start by pushing all variables that can be changed by end-users going into a database through a marshalling-function fixSQLinjectionToDB ($var) { return addslashes($var); }; addslashes is the minimum fix i believe, but google around and give us back the up-to-date uber-fix-function please :) Might be wise to look ahead and use a unmarshalling function placeholder fixSQLinjectionFromDB() for any (varchar/text) variable coming from the database and being used by your program for anything. You'll have to look ahead; if you allow endusers to store any text in your database, you can't just re-use that text in your output HTML another time. you will need something that strips bad html, <img>s, flash, and javascript, to be completely secure. I've once been infected with a piece of very cryptic js (that loaded quite a bit more into the browser) that caused my site to be blacklisted by google.. Big fat red-black warnings by firefox about it too.. lastly, it also helps to use something like adodb.sf.net as a database abstraction engine, btw.
|
Next
|
Last
Pages: 1 2 3 4 5 6 7 Prev: help, please, understanding my problem Next: How to get the 'return type' of a function? |