By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
440,616 Members | 1,198 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 440,616 IT Pros & Developers. It's quick & easy.

Is it legal to change $_POST

P: n/a

Folks,

When I read data from my form, I sanitize it before recording it in MySQL.
At the moment, the values in $_POST are cleaned and returned in a new array
called $formData.

I found my accident that I could change the value of $_POST thus I was
thinking it would be better usage of memory (and therefore overall
performance) if instead of having duplicate data that I instead have the
cleaned data returned to $_POST.

I know I *can* do this - what I don't know is if its a feature or a bug (ie
if I depend on it now will later versions of PHP (either v4 or v5) make such
a dependancy redundant.

Can anyone comment on what they advise as being best practice here?

cheers
randelld
Jul 16 '05 #1
Share this Question
Share on Google+
3 Replies


P: n/a
Randell D. wrote:
I found my accident that I could change the value of $_POST thus I was
thinking it would be better usage of memory (and therefore overall
performance) if instead of having duplicate data that I instead have the
cleaned data returned to $_POST.


I recommend doing this, especially when you're working on a project with
other programmers who might not be so diligent about variable cleaning.

I work on a CMS project and we clean all user-generated variables right
at the start, because we know that some 3rd party module developers are
too lazy to bother, thus breaking security for the whole system.

Jochen

--
/**
* @author Jochen Buennagel <zang at buennagel dot com>
*/

Jul 16 '05 #2

P: n/a

"Why?" <wh*@why.com> wrote in message
news:bi**********@bunyip.cc.uq.edu.au...
Randell D. wrote:
"Jochen Buennagel" <za**@buennagel.com> wrote in message
news:bi*************@news.t-online.com...
Randell D. wrote:

I found my accident that I could change the value of $_POST thus I was
thinking it would be better usage of memory (and therefore overall
performance) if instead of having duplicate data that I instead have thecleaned data returned to $_POST.

I recommend doing this, especially when you're working on a project with
other programmers who might not be so diligent about variable cleaning.

I work on a CMS project and we clean all user-generated variables right
at the start, because we know that some 3rd party module developers are
too lazy to bother, thus breaking security for the whole system.

Jochen

--
/**
* @author Jochen Buennagel <zang at buennagel dot com>
*/

Faire comment on cleaning the data - I am aware of the risks - however, my question related as to where you keep the cleaned data.

Do you return your cleaned data to $_POST or do you return it to another
newer variable thus doubling the memory used to retain your user variable data.


For the scripts I do I have a recursive function that goes through all
$_GET, $_POST and $_COOKIE variables and adds slashes to them if
auto-slashes is on (not them directly but the contents of the arrays). I
simply just modify the variables in place.

IMHO, It's perfectly fine to just put the 'cleansed' input data back
into the corresponding variables indexes.

Cheers,
Why.


Thanks
Jul 16 '05 #3

P: n/a

"Jochen Buennagel" <za**@buennagel.com> wrote in message
news:bi*************@news.t-online.com...
Randell D. wrote:
I found my accident that I could change the value of $_POST thus I was
thinking it would be better usage of memory (and therefore overall
performance) if instead of having duplicate data that I instead have the
cleaned data returned to $_POST.


I recommend doing this, especially when you're working on a project with
other programmers who might not be so diligent about variable cleaning.

I work on a CMS project and we clean all user-generated variables right
at the start, because we know that some 3rd party module developers are
too lazy to bother, thus breaking security for the whole system.

Jochen

--
/**
* @author Jochen Buennagel <zang at buennagel dot com>
*/


Faire comment on cleaning the data - I am aware of the risks - however, my
question related as to where you keep the cleaned data.

Do you return your cleaned data to $_POST or do you return it to another
newer variable thus doubling the memory used to retain your user variable
data.
Jul 16 '05 #4

This discussion thread is closed

Replies have been disabled for this discussion.