Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
why use $_GET, $_POST
- Thread starter iffoiffy
- Start date
That means that whomever set up your copy of PHP has register_globals turned ON in the php.ini file. This has a number of security concerns. Read about them in
If you were to move your code to a server that has PHP set up correctly, register_globals turned OFF, code that doesn't use the superglobals $_GET and $_POST would stop working correctly.
Also, since they are super globals, the arrays are available throughout your scipt, even within functions with out using the global statement.
Ken
If you were to move your code to a server that has PHP set up correctly, register_globals turned OFF, code that doesn't use the superglobals $_GET and $_POST would stop working correctly.
Also, since they are super globals, the arrays are available throughout your scipt, even within functions with out using the global statement.
Ken
- Thread starter
- #3
thanks for your reply, the compnay were I am hosting seems quite experienced, i don't know why they would do something like that. I will still use the _GET , or _POST, who knows they may change their setting in future and my code will quit wotrking.
I would go further and ask them why they are doing it - after all the rest of the professional world has recognized the security implications and acted accordingly.
It might be in your best interest to check that out.
I see in many code examples that are posted here that people assign local singleton variables from the superglobal arrays $_POST or $_GET. IMO that makes the code convoluted and also uses extra memory.
The biggest difference is that $_POST['myvar'] works anywhere in your code, hence 'supergloabl', while $myvar = $_POST['myvar'] only covers the local scope. There is also no question where $_POST[.yvar'] comes from, while $myvar could be anything. I keep my data input cleanly marked, so I always know if the code is dealing with user input. Never forget:
Do not trust user input.
It might be in your best interest to check that out.
I see in many code examples that are posted here that people assign local singleton variables from the superglobal arrays $_POST or $_GET. IMO that makes the code convoluted and also uses extra memory.
The biggest difference is that $_POST['myvar'] works anywhere in your code, hence 'supergloabl', while $myvar = $_POST['myvar'] only covers the local scope. There is also no question where $_POST[.yvar'] comes from, while $myvar could be anything. I keep my data input cleanly marked, so I always know if the code is dealing with user input. Never forget:
Do not trust user input.
- Thread starter
- #5
when you say
"I see in many code examples that are posted here that people assign local singleton variables from the superglobal arrays $_POST or $_GET. IMO that makes the code convoluted and also uses extra memory."
You mean doing something like this
$name= $_POST['name'];
is not recommnded?
One should just use
$_POST['name']; straight
"I see in many code examples that are posted here that people assign local singleton variables from the superglobal arrays $_POST or $_GET. IMO that makes the code convoluted and also uses extra memory."
You mean doing something like this
$name= $_POST['name'];
is not recommnded?
One should just use
$_POST['name']; straight
sleipnir214
Programmer
I never do "$name= $_POST['name'];". I always only reference the elements of the superglobals.
To reiterate and/or add to DRJ78's post:[ul][li]you're wasting memory as the value is already stored in $_POST[/li][li]$_POST is superglobal, which means is will be available in user-defined functions where $name will not without the use of the "global" operator[/li][li]if you perform "$name= $_POST['name'];" in line 10, six months from now you will likely not remember how the value got into $name in line 400, but $_POST['name'] will be obvious[/li][li]you're more likely to walk over your own variable $name by improperly reusing it than $_POST['name']. You're also keeping user input separate from your own variables[/li][li]you maintain a more consistent coding style, as when you start doing things with sessions, you're going to manipulate the $_SESSION superglobal array directly[/li][/ul]
Want the best answers? Ask the best questions!
TANSTAAFL!!
To reiterate and/or add to DRJ78's post:[ul][li]you're wasting memory as the value is already stored in $_POST[/li][li]$_POST is superglobal, which means is will be available in user-defined functions where $name will not without the use of the "global" operator[/li][li]if you perform "$name= $_POST['name'];" in line 10, six months from now you will likely not remember how the value got into $name in line 400, but $_POST['name'] will be obvious[/li][li]you're more likely to walk over your own variable $name by improperly reusing it than $_POST['name']. You're also keeping user input separate from your own variables[/li][li]you maintain a more consistent coding style, as when you start doing things with sessions, you're going to manipulate the $_SESSION superglobal array directly[/li][/ul]
Want the best answers? Ask the best questions!
TANSTAAFL!!
That's what I would do. Once you have a few thousand lines of code with functions, classes etc. it get's hard to remember what is what. At the level where values are infused into the logic I like to be clear where it comes from.
Example:
You are making SQL queries. Somewhere in the top of the script you have $name = $_POST['name']. If you write your query you might do the following:
By then you have already forgotten where $name came from: user input. It seems more likely to me that if you were to use the $_POST variable you'd recall where it came from and do something like
I am not making any recommendations. It is a question of one's individual programming style. You have to decide what your style is - and there is also no judegement. My code is not better/worse because I am doing it this way.
Example:
You are making SQL queries. Somewhere in the top of the script you have $name = $_POST['name']. If you write your query you might do the following:
Code:
$sql = "SELECT * FROM table WHERE name = '$name'";
Code:
$sql = "SELECT * FROM table WHERE name= '".mysql_real_escape_string($_POST['name'])."'";I am not making any recommendations. It is a question of one's individual programming style. You have to decide what your style is - and there is also no judegement. My code is not better/worse because I am doing it this way.
When the change from register_global "ON" to "OFF" occurred, I initially used the extract() function to mimick what PHP had been doing. This was the "easy" way to get my code back in working order. As I've had to modify and/or rewrite scripts, I've migrated to using $_GET or $_POST. The only time I use a temporary variable is when I want to manipulate the data in the arrays and also keep the original around.
Using $_GET, $_POST, $_SERVER, etc., has made my code much easier to modify if I go back to a script after many months.
Ken
Using $_GET, $_POST, $_SERVER, etc., has made my code much easier to modify if I go back to a script after many months.
Ken
- Thread starter
- #9
- Status