Op 2/22/10 8:39 PM, Slack-Moehrle schreef: > Hi All, > > I have Forms that I submit for processing. I have seen examples of people > using either $_POST or $_REQUEST. > > When would I choose one over the other?
use $_POST, $_REQUEST is normally an amalgam of GET, POST and COOKIE - as such using $_REQUEST can open you up to a denial of service attack (if someone manages to place cookies with the same names as your form fields they will always override what was in the POST). avoid using $_REQUEST. > Also, I see examples of these being used with and without the single quotes > > Like: > > $_POST[j_orderValue] this generates an E_NOTICE and is bad practice, it's also slower, essentially PHP sees the CONSTANT j_orderValue which it can't find and does it's best to accomodate sloppy code by tranlating it into the string 'j_orderValue' try turning up the ini setting 'error_reporting' to include E_NOTICE warnings (and everything else) and see what else your code might be doing which isn't quite right ... it can be very helpful, I'm assuming you're running a local webserver, as running that in production is a bit pointless in my view (additionally having the ini setting 'display_errors' turned on in production is a security issue) > or > $_POST['j_orderValue'] > > Single quotes is best, correct to prevent sql injection? this does nothing for SQL injection prevention, for that you need the escaping function for the DB you use ... for MySQL that would be mysql_real_escape_string(). > -ML > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
