$_post ?

TalonFinsky

Figured this was the correct forum to post this to. I've seen everyone using $_POST["varname"] to call for variables from a form post. I know there was a message regarding this question a while ago, but I can't seem to find it now.

Is there any specific reason to use $_POST["varname"] as opposed to just calling for the $varname as if it were an internal variable?

Just my curious nature I suppose.

~TF

rIkLuNd

Well, calling for a variable like '$name' will only work if "Register Globals" are on, and in the new versions, the default setting is off.

TalonFinsky

Ok, I understand that. Is there any reason you can think of to actually leave the register_globals to the default (off)?

I was basically wondering if they did that as a security fix or something.

rIkLuNd

well, i've heard some people say that there is some sort of security reason to keep it off... Don't know exactly what it is.

edwardsbc

If register globals is on, an evil user could forge a submission by sending a GET response:

file.php?action=killallrecords

When in realility, perhaps, you would only expect this to come from a POST. Naturally, this is a contrived example, but you should ALWAYS verify user input, and only accept input from the expected source (GET or POST).

I always create "verified" forms of the variables:

$v_myvar=VerifyFunc($_POST['myvar']);

Where VerifyFunc is a user-defined function that returns a validated legit user response or it throws an error.

rIkLuNd

oh... well, thanks for the info!

haans

Originally posted by rIkLuNd
Well, calling for a variable like '$name' will only work if "Register Globals" are on, and in the new versions, the default setting is off.

Sorry I am a newbie here. Tried to turn on in php.ini but still gave me the error: undefined variable.

Also what is the work around for this? I saw ppl mentioning using $_POST.

SHould I do this:-
$var1 = $_POST["name]"

Let say I need to return

<?php
$var1 = $_POST["name]"
Employee Name: $var1?
?>

But seems got error in line Employee Name, it just can't recognise it.

Thanks.

jabba_29

<?php
$var1 = $_POST["name]"
Employee Name: $var1?
?>

If this was just a loose example, then fairl enough, but it should be something like:

$var1 = $_POST['name'];
echo 'Employee Name: $var1';

Or similar
:eek:

corsc

I know we have all heard the talk of register globals being a security risk and that we should use $POST or $GET, which trust me I do (lemming syndrome).

But I fail to see how these are any better, especially seeing that there is no validation on the source script of the POST ??

I personally believe that using the $_POST, etc. var's is a better approach because there is then no possibility of POST/GET vars overriding variables that are used elsewhere in the script.

If there is another reason we should be doing this or some other security issues i would love to heard them.

Thanks.

rIkLuNd

If you're using an old version of php, then you'll have to use $HTTP_POST_VARS and $HTTP_GET_VARS!