Using $ _GET & $ _POST

Question

Using $ _GET & $ _POST

Perhaps I am doing something wrong from the very beginning, and if so, I will also work on it ...

I have a menu item that, as part of the URL, passes event identifier #. In my particular case, the user goes to the information page for this event. Then there is a button that allows them to register for the event. Click, and they subscribed to the Event and returned to the same information page, which now says that they are registered and allow them to see a few additional things.

The first time they click on the page, I use $ _GET to determine the event identifier #, which is then passed back to the page if they click the registration button as a hidden input field. But this time I need to use $ _POST to determine the event ID. So the code in my request has a logical part that looks like

SELECT stuff FROM ... WHERE eventID = ($_GET["ID"] ? $_GET["ID"] : $_POST["ID"])

It works, but it just feels that it can be done better ...

+3

php sql-injection

Humpton Aug 9 '09 at 10:12

source share

5 answers

hbw · Answer 1 · 2009-08-09T22:17:44+0000

Sanitize your database entries. mysql_real_escape_string()is a quick and easy way to achieve this (or, if the identifier is always numeric, you can simply use intval()). Don't be like a school that fell on Bobby Tables .
~~, , $_REQUEST superglobal, GET, POST (: $_REQUEST['ID']). $_REQUEST, , , .~~

, $_REQUEST cookie, , - $_COOKIE, $_POST, $_GET. , , , , $_SERVER['REQUEST_METHOD'] :

// You can use mysql_real_escape_string() instead if you want
$id = ($_SERVER['REQUEST_METHOD'] == 'POST') ? intval($_POST['id']) : intval($_GET['id']);

, , , SQL-.

* - variables_order, .

Sev · Answer 2 · 2009-08-09T22:14:41+0000

, . , , . SQL-.

Nathan Kleyn · Answer 3 · 2009-08-09T22:57:10+0000

, :

"SELECT stuff FROM ... WHERE eventID = '" . mysql_real_escape_string($_REQUEST['id']) . "';"

, - escape-, , . :

$_POST['id'] and not $_POST["id"] unless you're doing something like $_POST["post_$id"]

, .

Dan McGrath · Answer 4 · 2009-08-09T22:50:04+0000

htw , , , , , , .
, , , .

staticsan · Answer 5 · 2009-08-09T23:34:32+0000

Separate the selection of the provided identifier from its location in the database. In other words, as soon as the page finds out whether it will be called via GET or POST, it will know the correct super-global one to get the identifier. In fact, there may be some pages that will always be called with POST, and others always with GET.

If it really doesn't matter from which it gets the identifier, use $ _REQUEST.

Using $ _GET & $ _POST

More articles: