From: Rene Veerman on
> i'd expect without quotes to query a define('j_orderValue','??')..

oh, and that, if not defined, defaults to the string 'j_orderValue'.
So while your $_POST[] with or without quotes will "do the same", use
single-quotes anyway because it's "the right thing to do" ;)
From: Richard on
Hi,

> I am not sure what the security issues are you are referring to as the
> $_REQUEST superglobal contains both $_GET and $_POST values.  Could you
> expound on that?  Thanks.

Not really, do a search.

--
Richard Heyes
HTML5 canvas graphing: RGraph - http://www.rgraph.net (updated 20th February)
Lots of PHP and Javascript code - http://www.phpguru.org
From: Kim Madsen on
Hi Slack-Moehrle

Slack-Moehrle wrote on 22/02/2010 21:39:
> Hi All,
>
> I have Forms that I submit for processing. I have seen examples of people using either $_POST or $_REQUEST.
>
> When would I choose one over the other?

$_REQUEST['test'] is true on both $_GET['test'] and $_POST['test']

I use it from time to time if I have a edit link followed by a form
posting (where I use method=post), if I decide to have all editing in
one statement, IE:

if($_REQUEST['test']) {
if($_GET['test']) {
// make the form here
}
elseif($_POST['test']) {
// get posting from the form
}
}

> Also, I see examples of these being used with and without the single quotes
>
> Like:
>
> $_POST[j_orderValue]
> or
> $_POST['j_orderValue']
>
> Single quotes is best, correct to prevent sql injection?

Best practice is with '', if you have E_NOTICE on you'll get notices if
you use $_POST[test] instead of $_POST['test']

It has nothing to do with SQL injection here. But when dealing with SQL
statements it's best practice to use '', for instance if you are about
to insert and a number at some point could be inserted as part of the
statement: "price = 250" will do fine, but if price ain't entered "price
= " will cause an error, while "price = ''" will not make the sql insert
fail.

Regarding SQL injection, run all inputs through the function
mysql_real_escape_string()

--
Kind regards
Kim Emax - masterminds.dk
From: Dotan Cohen on
> I have Forms that I submit for processing. I have seen examples of people using either $_POST or $_REQUEST.
>

Look at this example:

<form action="page.php?foo=bar">
<input type="hidden" "name="foo" value="pub">
</form>

Now what do you thing $_REQUEST will return? You had better not even
think. Just use $_POST or $_GET as you _know_ what they will return.

Don't forget, there might even be a cookie with the name "foo".

--
Dotan Cohen

http://bido.com
http://what-is-what.com

Please CC me if you want to be sure that I read your message. I do not
read all list mail.
From: Michael Shadle on
On Mon, Feb 22, 2010 at 12:55 PM, Joseph Thayne <webadmin(a)thaynefam.org> wrote:

> I am not sure what the security issues are you are referring to as the
> $_REQUEST superglobal contains both $_GET and $_POST values.  Could you
> expound on that?  Thanks.

$_REQUEST opens you up to POST/GET values overriding cookie values or
vice versa. It's best to choose your source of data specifically.

I unset($_REQUEST) wherever I can to enforce stricter coding
practices. To me it's lazy. If you really need to mix POST and GET,
then you can always array_merge($_POST, $_GET)

>> Use quoted strings - either single or double quotes. Eg:
>>
>> $myArray['myKey']
>> $myArray["myKey"]

single quotes are better (by a marginal fraction) as it won't look for
interpolated strings :)