On 02/22/2010 09:39 PM, Slack-Moehrle wrote:
Hi All,
I have Forms that I submit for processing. I have seen examples of people using 
either $_POST or $_REQUEST.
When would I choose one over the other?

When you don't care how you get the data use $_REQUEST.
$_REQUEST will contain $_GET,$_POST,$_COOKIE in the order specified in php.ini. Don't know what the default is.


Don't do that, PHP will bitch that you are attempting to use a constant as a string or something like that. Make sure you enable error reporting in php.ini and use
        display_errors = On
        error_reporting = E_ALL | E_STRICT
for development but not on your server unless you log only.


There are a few ways to write this properly, depending on how you use it. The above is how I usually use it but this is also possible.
x = $_POST['j_orderValue'] <= that is how I write it
x = $_POST["j_orderValue"] <= also ok because it is a stirng
for $x=0; $x < 10, $x++ )
        $foo[$x] = $_POST["j_orderValue$x"]
 is also possible

echo "foo $_POST[j_orderValue]";
echo "foo {$_POST['j_orderValue']}";
and a few more, there was a great thread a while back which listed every possible combination.

Single quotes is best, correct to prevent sql injection?

SQL injects happen when you use the $_RESQUEST[] information, as is, in your SQL string.

SELECT * FROM foo WHERE XXX=$_REQUEST['yyy'] <= very bad!

You should be doing:

... code sanity check here.
        - is a number really number, length and so on ...

Then if you use a MySQL database you would escape the string like this
$tmp = mysql_real_escape_string($_REQUEST['yyy']);

and use it like this.

mysql_real_escape_string() protect from SQL injection by escaping your string according to what your charset requires.

Nur wer im Wohlstand lebt, schimpft auf ihn.
[Ludwig Marcuse]

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to