On Mon, Feb 22, 2010 at 9:39 PM, Slack-Moehrle <mailinglists@xxxxxxxxxxxxxxx> wrote: > Hi All, > > I have Forms that I submit for processing. I have seen examples of people using either $_POST or $_REQUEST. > > When would I choose one over the other? I like to be specific and go for $_POST, but some people want flexibility in their code and use $_REQUEST. It's usually no big deal to me. > > Also, I see examples of these being used with and without the single quotes > > Like: > > $_POST[j_orderValue] > or > $_POST['j_orderValue'] i'd expect without quotes to query a define('j_orderValue','??').. and yea, use single quotes whereever possible.. it's my exp that 'bla bla $var da da' is harder to read (in syntax-highlighted source editors) than 'bla bla '.$var.' da da' that's aside from speed improvements, which do add up quickly in high load situations. > Single quotes is best, correct to prevent sql injection? sql injection fixing is an evolving art, but you can start by pushing all variables that can be changed by end-users going into a database through a marshalling-function fixSQLinjectionToDB ($var) { return addslashes($var); }; addslashes is the minimum fix i believe, but google around and give us back the up-to-date uber-fix-function please :) Might be wise to look ahead and use a unmarshalling function placeholder fixSQLinjectionFromDB() for any (varchar/text) variable coming from the database and being used by your program for anything. You'll have to look ahead; if you allow endusers to store any text in your database, you can't just re-use that text in your output HTML another time. you will need something that strips bad html, <img>s, flash, and javascript, to be completely secure. I've once been infected with a piece of very cryptic js (that loaded quite a bit more into the browser) that caused my site to be blacklisted by google.. Big fat red-black warnings by firefox about it too.. lastly, it also helps to use something like adodb.sf.net as a database abstraction engine, btw. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php