is it right way( safe) to assign post data value directly by name attibute value to a variable in php
i m working in PHP since one year, but now a days i got this way to assign post data value directly using name attribute . i m really curious to know the documentation about it.please refere me link regarding this .
i explain by example
here is my form
<form method="post" action="">
<input type="text" name="userName" id="userName">
<input type="submit" name="doit" value="submit">
</for开发者_JAVA技巧m>
to get the post data i always use
$somevar=mysql_real_escape_string($_POST['userName']);
but now i see another way
$somevar= "userName";
i just want to know that is it safe n easy way??
I think you're looking for the PHP ini directive register_globals
. Take a look at Variables From External Sources. However, this directive defaults to "off" and you should probably leave it that way since it is deprecated in PHP 5.3. You would still have to mysql_real_escape_string()
it anyway.
You can also use import_request_variables()
to register the globals manually:
import_request_variables("p");
echo $userName;
Using Register Globals on the PHP website gives you a good idea as to how it can be unsafe to automatically register HTTP variables as globals.
Personally I like to use an escape function. So I would stick with mysql_real_escape_string()
I've never seen any code where a variable has been assigned from a quoted value. The way I understand it, all you'd be doing is making $somevar
contain a string userName
you can better use the below one
$somevar= $userName;
OR
$somevar= $_POST[userName];
精彩评论