Are Hidden Variables $_POST variables?

**kuau** · 01-22-2010, 04:48 AM

Hi Daniel! I am coming in to the home stretch on that site you were helping me with a month ago. I successfully replaced the function with includes and am now trying to tie the whole thing together logically. I'm hoping that the $_POST variables will solve the Register Globals issue. I ended up renaming all the variables so they make sense to me, but what a can of worms that became! There is one variable I can't get to work even with $_REQUEST but I'll ask about that later. Right now I want to see if I can apply traq's trick without breaking anything.

Thanks, traq, for sharing your method. It may solve a confusion I have encountered when trying to use the same include in various places, one where the variables are coming from the database, one where they are coming from forms, and one where they are coming from the database into a form for editing and then being used in emails. I am wondering if in the 3rd case I should save the updates and then reload from the database rather than use the $_POST variables. Is there a best way? Thanks.

**traq** · 01-22-2010, 05:55 AM

...if I understand you correctly, it would not make any difference. You could perform the DB query and the emailing together, so as to make sure you have consistent values (i.e., if the DB query fails, the email that says it was successful won't be sent):

PHP Code:


// code for preparing vars for database above...

$to = "user@email.com";
$subject = "database submission";
if($$DBquery = mysql_query($SQL)){ $message = "Success! You are from $country"; }
else{   $message = "FAIL! Nobody cares where you're from"; }

mail($to, $subject, $message);

As for dealing with variables from different sources (I assume you're talking about naming conflicts, etc., at least in part), you could prepend each variable name with something unique - e.g., $DB_varname would not be confused with $INC_varname . You could also use classes (object-oriented programming), but that would mean re-writing your site again.

**kuau** · 01-22-2010, 07:12 AM

I'm not sure I quite grasp the concept of OOP. I do use a class.phpmailer.php for the emails, as they are separate html files. I'm not sure what OOP would look like. I believe I use what would be called modular programming methods. I am basically trying to make sense of this guy's code by undoing his penchant for copying and pasting code all over the place by gathering duplicate code and putting it into includes so I can get an overview of what is happening. It is a live ecommerce site so it is disastrous if I break something. Needless to say, I am eager to get it finished and be able to register_globals off because every time the host upgrades the php, all the site variables (dates etc) go blank. The owner loses money every minute it is down... no fun.

It is still not clear to me what happens if a variable exists and has a value out of the database. For example: $country = "US"; Now what happens if it encounters in an include $country = $_POST['country'] and there is no POST value for $country? Does it retain the value "US" or does it get blanked out?

BTW, what are these... \x00, \n, \r, \, ', " and \x1a. and why would they be dangerous if they got loaded in with the data? Mahalo, e

**djr33** · 01-22-2010, 07:40 AM

Those are characters that could potentially mess with the query, such as adding "; delete database;" to the end of a query-- that would be bad.

If $country is set to something else at any time, then, yes, it would have a different value. If $_POST['country'] is not set and you try to set it this will generate a warning (error) if the error reporting settings are high, but it will probably reset the value of $country-- I think this is the case. You could always do an if-- if (isset($x)) { $y = $x; }
But it sounds like this is a case where you need to: 1) plan ahead (to predict exactly what the pattern will be), and 2) name variables specifically and consistently.
Should $country get the value of $_POST['country']? If so, good. If not, change the name of one of them.
And turning off register_globals would help here too.

OOP is not needed, perhaps never needed. It just makes things easier if you are doing repeated sets of repeated operations.
A class is an "object" in the sense that it has internal properties and internal functions.
Functions make repeating sections of code easy. Classes make doing SETS of functions easy and acting on an "object" the same way as other objects.
For example, you could make a "tree" class and apply internal functions to it-- $tree->grow(); $tree->growfruit(); $tree->die();
It would be useless if you only have one tree, but if you want to have a lot of "trees", then making a class for "tree is efficient.
But again, you never actually need this, and it is probably more work than you need to do, unless you are planning to reuse the same code (in a very big sense) for a number of instances of a certain type of object (in the metaphorical sense, but also the "O" of "OOP").

**kuau** · 01-22-2010, 08:09 AM

OK, thanks, that's a relief that I can skip OOP. I'm just going to try what I have in mind and see if it works. I found this cool code snippet in the comments on your link re mysql_real_escape which I added to my connection code which I think makes it so all POST variables are escaped without my having to do it explicitly in the code...

Code:

//This stops SQL Injection in POST vars 
foreach ($_POST as $key => $value) { 
 $_POST[$key] = mysql_real_escape_string($value); 
}

**Nile** · 01-22-2010, 01:10 PM

Yes it does, but I would do:

PHP Code:


//This stops SQL Injection in POST vars 

foreach ($_POST as $key => $value) { 

 $_POST[$key] = mysql_real_escape_string(htmlentities($value)); 

}

**traq** · 01-22-2010, 02:36 PM

Kuau,

Sorry, I wasn't suggesting you switch to OOP. Sorry for alarming you

. I was only referring to how each variable's scope would be limited inside a class, therefore eliminating possible conflicts from different files. But it's certainly not necessary or convenient in this case.

**djr33** · 01-22-2010, 04:44 PM

Another way to accomplish that same goal is to use arrays:
$item1['country'] = 'USA';
$item2['country'] = 'Canada';
etc.

That way you can use the same names (that are logical), but keep them separated by the "object" you are using. This would require nothing more than the code above.

**kuau** · 01-25-2010, 03:19 PM

I am making great progress but I have hit a snag at this one line. I can't figure out why it is not giving the correct value for $filter. I need sleep so my eyes just can't see it at the moment. This line:

Code:

$filter = "agency = '".$_POST['Agency']."' "; echo $filter; exit;

produces this: agency = ''

I've tried $Agency and $_POST['Agency'] and still the same even though when I run debug it shows $_POST['Agency'] = "Alamo";

What am I missing? Thanks, e

**traq** · 01-25-2010, 03:58 PM

...Are you sure its "Agency" and not "agency"?

Maybe try what we discussed above and see what happens

PHP Code:


$agency = $_POST['Agency'];

$filter = "agency = '$agency'"; echo $filter; exit;

?

Just a guess. Other than that, I'd have to see the code.

Thread: Are Hidden Variables $_POST variables?

Thread Tools

Search Thread

The Following User Says Thank You to traq For This Useful Post:

The Following User Says Thank You to djr33 For This Useful Post:

The Following User Says Thank You to traq For This Useful Post:

Bookmarks

Bookmarks

Posting Permissions