On 02/22/2010 09:39 PM, Slack-Moehrle wrote:
Hi All,
I have Forms that I submit for processing. I have seen examples of people using either $_POST or $_REQUEST.
When would I choose one over the other?
When you don't care how you get the data use $_REQUEST.
$_REQUEST will contain $_GET,$_POST,$_COOKIE in the order specified in
php.ini. Don't know what the default is.
$_POST[j_orderValue]
Don't do that, PHP will bitch that you are attempting to use a constant
as a string or something like that. Make sure you enable error reporting
in php.ini and use
display_errors = On
error_reporting = E_ALL | E_STRICT
for development but not on your server unless you log only.
$_POST['j_orderValue']
There are a few ways to write this properly, depending on how you use
it. The above is how I usually use it but this is also possible.
x = $_POST['j_orderValue'] <= that is how I write it
x = $_POST["j_orderValue"] <= also ok because it is a stirng
for $x=0; $x < 10, $x++ )
$foo[$x] = $_POST["j_orderValue$x"]
is also possible
echo "foo $_POST[j_orderValue]";
echo "foo {$_POST['j_orderValue']}";
and a few more, there was a great thread a while back which listed
every possible combination.
Single quotes is best, correct to prevent sql injection?
SQL injects happen when you use the $_RESQUEST[] information, as is, in
your SQL string.
SELECT * FROM foo WHERE XXX=$_REQUEST['yyy'] <= very bad!
You should be doing:
... code sanity check here.
- is a number really number, length and so on ...
Then if you use a MySQL database you would escape the string like this
$tmp = mysql_real_escape_string($_REQUEST['yyy']);
and use it like this.
SELECT * FROM foo WHERE XXX=$tmp
mysql_real_escape_string() protect from SQL injection by escaping your
string according to what your charset requires.
--
John
Nur wer im Wohlstand lebt, schimpft auf ihn.
[Ludwig Marcuse]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
