|
Posted by Jerry Stuckle on 05/07/06 16:54
zorro wrote:
> greetings...
>
> I'm wondering what more advanced coders would think ot this:
>
> $_POST['myvar'] = clean($_POST['myvar']);
>
> and now I can use POST directly:
>
> $sql= "select * from T1 where myvar='$_POST[myvar]' " ;
>
> function clean($var){
> return addslashes(trim($var)); // whatever
> }
>
> The reason I came up with this is because i often end up calling
> clean() several times on the same variable. So to avoid declaring a php
> variable for each posted one, I would use an array
>
> $arr['myvar']=clean($_POST['myvar'])) ;
> $arr['myvar2']=clean($_POST['myvar2'])) ;
>
> but since $_POST is already there, why not use it? The benefit is
> simpler code, but maybe there are some security issues - that's what I
> don't know.
>
I don't like it at all.
First of all, what happens if you need to access the unchanged versions of the
$_POST variables? Maybe not now - but you might in the future. Your code may
*look* simpler - but you're just made it much harder to modify in the future.
Second, if you're calling mysql, you should be using mysql_real_escape_string
instead of addslashes.
If you're calling clean for the same variable multiple times, you should be
storing the value in a new variable the first time, then use it there. For
instance -
$myvar = clean($_POST['myvar']);
No need to call the same function repeatedly for the same data.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================
[Back to original message]
|