Nathan Nobbe <quickshiftin@xxxxxxxxx> wrote on 04/13/2011 12:47:11 PM: [much snippage] > no, it's actually a better practice. users are expected to populate arrays > they create. the $GLOBALS array is expected to be populated by user > scripts. The $_POST array is expected to be populated by PHP. by the time > you've decided to stuff variables into $_GET or $_POST yourself you've > decided to start mixing variables from your code with variables from the > client. simply put these arrays are not intended to be populated by user > scripts. I like Chris Shiflett's approach, which emphasizes security. Step 1 with posted (tainted) data is to sanitize it. "Clean" values are then moved from $_GET/$_POST into a new array, e.g., $CLEAN, so that it is immediately clear to code reviewers, future support programmers, etc., that the data is now clean and safe to use. With this approach, $_POST is only used at Step 1 and then disappears from the remaining code; $CLEAN is used in subsequent steps. Using $_POST out in the middle of nowhere *looks* like it could be a security flaw, whether it actually is or isn't. And you know how Joel Spolsky feels about code that *looks* like it could be an error ;) But, yes, you can use $_POST just like any other array. Not a practice I prefer, but YMMV. Kirk
