I’m a beginner in php.
i noticed that a lot of codes (actually all of them)
use
$_POST[‘something’]
to get something form the $_POST array
while i simply use this method
$something
i know it’s minor stuff and doesn’t actually matters…
but it keeps confusing me whether i should use this or that… and some times (when I’m really confused) i use them both!!
so i just want to know the proper way of this… and why?
$_POST[‘something’] is the preferred way (same with using $_GET or $_REQUEST)
$something will only work if register_globals is enabled/turned on and on most environments, this is turned off because it is unsafe.
Register Globals is actually removed from PHP 5.4.0 so your method will no longer work on that version
If register_globals is turned off then $something will not work. But I dont use $_POST[‘something’] or $_GET[‘something’], because it requires a little bit more thinking whether you are posting it or requesting it and a bit more typing effort and hence a waste of time.
I simply write at the top of the php code the following:
foreach($_GET AS $key => $value) {
${$key} = $value;
}
foreach($_POST AS $key => $value) {
${$key} = $value;
}
That fixes the register_globals issue and then you can use $something without any issue, whether register_globals is turned on or off and on all PHP versions.
This doesn’t “fix” the issue - it brings back the register globals security problems once again. This is an awful idea and you should stop doing it at all costs.
It is a GOOD practice to explicitly call the $_POST[‘’] variables you wish to use as it means you maintain strict control over the data flowing into and out of your application. You are doing it wrong.
Nice one!
What if someone sends a request like yoursite.php?_SESSION=blah
What do you think will happen to your $_SESSION after you run you “fixing global variables” code?
Exactly… This is just asking for trouble. Register globals was removed for a very good reason.
It also makes your code almost impossible to debug. I had to debug some code that was written using register globals a while back, and it was a total nightmare. In the middle of a (few thousand line btw) script, I’d have variables appearing literally from nowhere. How am I supposed to know what $exisLS or something with an equally obscure name is? How should I know where it comes from if register globals is turned on? It could be coming from some random page somewhere that has an ?exisLS=asdadad link on the get request, or it could be coming from some other script, or perhaps initialised some way on the page itself in some obscure piece of code I’ve not found… Horrible, insecure, awful stuff.
Don’t do it. Just don’t be lazy and get used to explicitly calling the $_POST and $_GET variables. It’s for the best in the long run.
Very good advice from other members here, I can add that I would advise you to turn off register_globals in php.ini on your development php installation (and on production also if possible) so that you will NOT be able to use $something instead of $_POST[‘something’] - this will make you code in the proper way from the start.
What nextpr suggests can be also achieved with extract() function, which will extract all array values to local variables - don’t do it and don’t use it unless you have very good reason to, which is very rare in practice. And this not only applies to $_POST and $_GET but also to other arrays you may be using. If you have an array with data don’t extract all the values to access them by direct variables - access them through the original array. For example, instead of:
// fetch a row of data from database into array
$row = mysqli_fetch_assoc($db, $result);
extract($row);
// unit_price and quantity are fields fetched from db
$ext_price = $unit_price * $quantity;
do this, which is much more descriptive:
// fetch a row of data from database into array
$product = mysqli_fetch_assoc($db, $result);
// unit_price and quantity are fields fetched from db
$ext_price = $product['unit_price'] * $product['quantity'];
I was also guilty of using the former method in all of my code a few years ago and trying to understand what’s going on after more than a week later is a nightmare. The few seconds you will lose now on typing a few more characters will save you headaches when you look at your code a few months later.
that’s what i love about this discussion board… really experts…
thanks guys… i’ll keep this in mind
I have been doing this for years in all my php codes.
It’s never too late to learn and improve the way you code 
index.php?login=1;DROP%20TABLE%20users;
i’m sorry, what table?
The content of $_POST, $_GET etc are what are known as tainted data - you don’t know if the fields contain usable data until you validate them. Validating them means that you both avoid security issues and also avoid filling your database with junk.
When register globals was allowed to be turned on then all the data in your script would be tainted data as you’d have no way to tell if someone passed in a value for a field that the script used that wasn’t intended to be passed in. You validate for only accepting expected fields by turning off register globals - PHP 4.2 provided a partial fix for this by defaulting to off rather than defaulting to on and the latest version has plugged this massive security hole completely by doing away with register globals completely.
That is the register global problem – just wow.
The fact that you are standing by it is even more astonishing… #smh
What sites have you created? – we would be happy to demonstrate first hand the security implications.