Re: $_POST vars

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Nathan Nobbe <quickshiftin@xxxxxxxxx> wrote on 04/13/2011 12:47:11 PM:

[much snippage]

> no, it's actually a better practice.  users are expected to populate 
arrays
> they create.  the $GLOBALS array is expected to be populated by user
> scripts.  The $_POST array is expected to be populated by PHP.  by the 
time
> you've decided to stuff variables into $_GET or $_POST yourself you've
> decided to start mixing variables from your code with variables from the
> client.  simply put these arrays are not intended to be populated by 
user
> scripts.

I like Chris Shiflett's approach, which emphasizes security. Step 1 with 
posted (tainted) data is to sanitize it. "Clean" values are then moved 
from $_GET/$_POST into a new array, e.g., $CLEAN, so that it is 
immediately clear to code reviewers, future support programmers, etc., 
that the data is now clean and safe to use. With this approach, $_POST is 
only used at Step 1 and then disappears from the remaining code; $CLEAN is 
used in subsequent steps. Using $_POST out in the middle of nowhere 
*looks* like it could be a security flaw, whether it actually is or isn't. 
And you know how Joel Spolsky feels about code that *looks* like it could 
be an error ;)

But, yes, you can use $_POST just like any other array. Not a practice I 
prefer, but YMMV.

Kirk

[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux