From: Rene Veerman on 22 Feb 2010 16:01 > i'd expect without quotes to query a define('j_orderValue','??').. oh, and that, if not defined, defaults to the string 'j_orderValue'. So while your $_POST[] with or without quotes will "do the same", use single-quotes anyway because it's "the right thing to do" ;)
From: Richard on 22 Feb 2010 16:03 Hi, > I am not sure what the security issues are you are referring to as the > $_REQUEST superglobal contains both $_GET and $_POST values. Could you > expound on that? Thanks. Not really, do a search. -- Richard Heyes HTML5 canvas graphing: RGraph - http://www.rgraph.net (updated 20th February) Lots of PHP and Javascript code - http://www.phpguru.org
From: Kim Madsen on 22 Feb 2010 16:05 Hi Slack-Moehrle Slack-Moehrle wrote on 22/02/2010 21:39: > Hi All, > > I have Forms that I submit for processing. I have seen examples of people using either $_POST or $_REQUEST. > > When would I choose one over the other? $_REQUEST['test'] is true on both $_GET['test'] and $_POST['test'] I use it from time to time if I have a edit link followed by a form posting (where I use method=post), if I decide to have all editing in one statement, IE: if($_REQUEST['test']) { if($_GET['test']) { // make the form here } elseif($_POST['test']) { // get posting from the form } } > Also, I see examples of these being used with and without the single quotes > > Like: > > $_POST[j_orderValue] > or > $_POST['j_orderValue'] > > Single quotes is best, correct to prevent sql injection? Best practice is with '', if you have E_NOTICE on you'll get notices if you use $_POST[test] instead of $_POST['test'] It has nothing to do with SQL injection here. But when dealing with SQL statements it's best practice to use '', for instance if you are about to insert and a number at some point could be inserted as part of the statement: "price = 250" will do fine, but if price ain't entered "price = " will cause an error, while "price = ''" will not make the sql insert fail. Regarding SQL injection, run all inputs through the function mysql_real_escape_string() -- Kind regards Kim Emax - masterminds.dk
From: Dotan Cohen on 22 Feb 2010 16:09 > I have Forms that I submit for processing. I have seen examples of people using either $_POST or $_REQUEST. > Look at this example: <form action="page.php?foo=bar"> <input type="hidden" "name="foo" value="pub"> </form> Now what do you thing $_REQUEST will return? You had better not even think. Just use $_POST or $_GET as you _know_ what they will return. Don't forget, there might even be a cookie with the name "foo". -- Dotan Cohen http://bido.com http://what-is-what.com Please CC me if you want to be sure that I read your message. I do not read all list mail.
From: Michael Shadle on 22 Feb 2010 16:22
On Mon, Feb 22, 2010 at 12:55 PM, Joseph Thayne <webadmin(a)thaynefam.org> wrote: > I am not sure what the security issues are you are referring to as the > $_REQUEST superglobal contains both $_GET and $_POST values. Â Could you > expound on that? Â Thanks. $_REQUEST opens you up to POST/GET values overriding cookie values or vice versa. It's best to choose your source of data specifically. I unset($_REQUEST) wherever I can to enforce stricter coding practices. To me it's lazy. If you really need to mix POST and GET, then you can always array_merge($_POST, $_GET) >> Use quoted strings - either single or double quotes. Eg: >> >> $myArray['myKey'] >> $myArray["myKey"] single quotes are better (by a marginal fraction) as it won't look for interpolated strings :) |