Risks of not localizing GET/POST variables?

PHP_Novice2

I've always made it a practice to store my GET/POST variables in local variables:

$field = $_GET['field'];

Am I wasting my time, or are there any inherent risks if I fail to do this?

laserlight

If you just store it like that without say, escaping it in some way, then you are probably wasting your time.

PHP_Novice2

laserlight;10910511 wrote:
If you just store it like that without say, escaping it in some way, then you are probably wasting your time.

So it's mainly for input control? e.g.:

$userid = intval($_GET['userid']);

bradgrafelman

You could also get rid of it entirely:

$query = sprintf("SELECT foo FROM bar WHERE foobar=&#37;d OR bar='%s'",
    $_GET['id'],
    mysql_real_escape_string($_GET['search'])
);

I suppose it's just your preference.

If you're making modifications to the data, however, it's best to store it in a variable so that you still have the data in its original form should you need it later on.

reli4nt

One of the benefits to the way you were doing it is portability. If you change to POST from GET your code will remain largely intact. It is irrelevant for small scripts but useful when you are coding larger applications that may be reused or repurposed.

Personally, I use the opportunity to clean my variables and do any necessary validation. There after when I see that variable I know it has been cleaned behind the ears and checked for ticks.