$_POST array question

**Jerry Stuckle** · Jun 2 '08, 10:34 AM

Re: $_POST array question

William Gill wrote:

This may sound stupid but, in my testing I have noticed that I get every
form field ($_POST array key), even if not populated. I am sure that's
not how things worked before, but the point is, is it now safe to
address $_POST array keys without testing to see if they exist (as long
as I know the form field name exists)?
>
>

No, it's never safe to trust user input. For instance, they may have
just issued a GET request for the form processing page. Or they could
have created their own form, pointing at your processing page, with
their own stuff in it (i.e. hackers).

And unchecked checkboxes do not get sent.

--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attgl obal.net
=============== ===

**=?iso-8859-1?Q?=C1lvaro?= G. Vicario** · Jun 2 '08, 10:34 AM

Re: $_POST array question

*** William Gill escribió/wrote (Fri, 25 Apr 2008 16:54:36 -0400):

This may sound stupid but, in my testing I have noticed that I get every
form field ($_POST array key), even if not populated. I am sure that's
not how things worked before

More or less, that's how it's always worked. Browsers sends all form fields
except:

- Fields with "disabled" attribute
- Unchecked checkboxes

but the point is, is it now safe to
address $_POST array keys without testing to see if they exist (as long
as I know the form field name exists)?

For God's sake, *never* trust external data!

--
-- http://alvaro.es - Álvaro G. Vicario - Burgos, Spain
-- Mi sitio sobre programación web: http://bits.demogracia.com
-- Mi web de humor en cubitos: http://www.demogracia.com
--

**Rik Wasmus** · Jun 2 '08, 10:34 AM

Re: $_POST array question

On Fri, 25 Apr 2008 22:54:36 +0200, William Gill <noreply@exampl e.com>
wrote:

This may sound stupid but, in my testing I have noticed that I get every
form field ($_POST array key), even if not populated. I am sure that's
not how things worked before, but the point is, is it now safe to
address $_POST array keys without testing to see if they exist (as long
as I know the form field name exists)?

I suspect the only thing that would cause this to your perception is a
different error_reporting level where notices aren't called to your
attention anymore.

Keep testing for existance of POST keys before doing anything elese.
--
Rik Wasmus

**William Gill** · Jun 2 '08, 10:34 AM

Re: $_POST array question

Jerry Stuckle wrote:

No, it's never safe to trust user input.

I don't. But I could swear that empty fields didn't have corresponding
$_POST keys before. Now I get every field/key, so I was thinking I
didn't have to perform an array_key_exist s( 'fieldname', $_POST ).

>
And unchecked checkboxes do not get sent.
>

I didn't have any checkboxes on the form I was testing, I'll test
against them.

**William Gill** · Jun 2 '08, 10:34 AM

Re: $_POST array question

Álvaro G. Vicario wrote:

More or less, that's how it's always worked. Browsers sends all form fields
except:
>
- Fields with "disabled" attribute
- Unchecked checkboxes

I could have sworn I didn't get empty fields before.

For God's sake, *never* trust external data!

I don't. I didn't want to perform an array_key_exist s( 'fieldname',
$_POST ) before I test what value they contain.

**Michael Fesser** · Jun 2 '08, 10:34 AM

Re: $_POST array question

..oO(William Gill)

>Jerry Stuckle wrote:
>

>No, it's never safe to trust user input.

>I don't. But I could swear that empty fields didn't have corresponding
>$_POST keys before. Now I get every field/key

Empty form fields are always submitted, because they actually have a
value - an emtpy string. That's different from having no value at all.

>so I was thinking I
>didn't have to perform an array_key_exist s( 'fieldname', $_POST ).

Such checks (usually with isset()) should always be done.

Micha

**William Gill** · Jun 2 '08, 10:34 AM

Re: $_POST array question

Rik Wasmus wrote:

I suspect the only thing that would cause this to your perception is a
different error_reporting level where notices aren't called to your
attention anymore.
>
Keep testing for existance of POST keys before doing anything elese.

foreach($_POST as $key =$val){} returns all keys, even for empty
fields. I don't remember things working that way before. However, I'm
not sure about the errors. I'll have to do some more testing.

**Rik Wasmus** · Jun 2 '08, 10:34 AM

Re: $_POST array question

On Sat, 26 Apr 2008 08:04:58 +0200, William Gill <noreply@exampl e.com
wrote:

Rik Wasmus wrote:

>I suspect the only thing that would cause this to your perception is a
>different error_reporting level where notices aren't called to your
>attention anymore.
> Keep testing for existance of POST keys before doing anything elese.

>
foreach($_POST as $key =$val){} returns all keys, even for empty
fields. I don't remember things working that way before. However, I'm
not sure about the errors. I'll have to do some more testing.

Oh yes, that always worked like that to my knowledge (save for
checkboxes). An empty string is still a value, and perhaps even an
important one.
--
Rik Wasmus

**William Gill** · Jun 2 '08, 10:34 AM

Re: $_POST array question

Michael Fesser wrote:

Empty form fields are always submitted, because they actually have a
value - an emtpy string. That's different from having no value at all.

I don't remember it working that way in practice, but I may be confusing
PHP and other script engines (like Python). I guess it doesn't matter
what I remember or not.

Such checks (usually with isset()) should always be done.

Probably right. For some reason I was getting the impression I could
skip that in lieu of other things, but..

I was adding the following to input fields...

class="<?php echo array_key_exist s('First_Name', $form_errors) ? 'error'
: 'normal'?>" value="<?php echo array_key_exist s('First_Name', $_POST)?
htmlentities( $_POST['First_Name'],ENT_QUOTES) : '' ?>"

.... and now I may have to retool my thinking a little. Might be cleaner
to create a function instead.

**Jerry Stuckle** · Jun 2 '08, 10:34 AM

Re: $_POST array question

William Gill wrote:

Álvaro G. Vicario wrote:

>More or less, that's how it's always worked. Browsers sends all form
>fields
>except:
>>
>- Fields with "disabled" attribute
>- Unchecked checkboxes

>
I could have sworn I didn't get empty fields before.
>

>For God's sake, *never* trust external data!

I don't. I didn't want to perform an array_key_exist s( 'fieldname',
$_POST ) before I test what value they contain.
>
>

Use isset($_POST['fieldname']).

--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attgl obal.net
=============== ===

**Michael Fesser** · Jun 2 '08, 10:35 AM

Re: $_POST array question

..oO(William Gill)

>Michael Fesser wrote:

>Empty form fields are always submitted, because they actually have a
>value - an emtpy string. That's different from having no value at all.

>
>I don't remember it working that way in practice

You've already said that ;-), but it always worked that way as far as I
can remember.

>but I may be confusing
>PHP and other script engines (like Python).

Quite possible.

>I guess it doesn't matter
>what I remember or not.
>

>Such checks (usually with isset()) should always be done.

>Probably right. For some reason I was getting the impression I could
>skip that in lieu of other things, but..
>
>I was adding the following to input fields...
>
>class="<?php echo array_key_exist s('First_Name', $form_errors) ? 'error'
>: 'normal'?>" value="<?php echo array_key_exist s('First_Name', $_POST)?
htmlentities( $_POST['First_Name'],ENT_QUOTES) : '' ?>"
>
>... and now I may have to retool my thinking a little. Might be cleaner
>to create a function instead.

Indeed. Such things are done over and over again, so some little helper
functions would really make sense here.

Micha

**William Gill** · Jun 2 '08, 10:35 AM

Re: $_POST array question

Rik Wasmus wrote:

>
On Sat, 26 Apr 2008 08:04:58 +0200, William Gill <noreply@exampl e.com>
wrote:
>

<snip>

>... I don't remember things working that way before. However,
>I'm not sure about the errors. I'll have to do some more testing.

>
Oh yes, that always worked like that to my knowledge (save for
checkboxes). An empty string is still a value, and perhaps even an
important one.

I guess that's why old people (like me) shouldn't be doing this.

**William Gill** · Jun 2 '08, 10:35 AM

Re: $_POST array question

Jerry Stuckle wrote:

William Gill wrote:

<snip>

>I don't. I didn't want to perform an array_key_exist s( 'fieldname',
>$_POST ) before I test what value they contain.
>>
>>

>
Use isset($_POST['fieldname']).
>

That's what I meant, array_key_exist s wouldn't help.

**William Gill** · Jun 2 '08, 10:35 AM

Re: $_POST array question

William Gill wrote:

Jerry Stuckle wrote:

>William Gill wrote:

<snip>

>>I don't. I didn't want to perform an array_key_exist s( 'fieldname',
>>$_POST ) before I test what value they contain.
>>>
>>>

>>
>Use isset($_POST['fieldname']).
>>

That's what I meant, array_key_exist s wouldn't help.

isset() seems to be a waste of time also, since every field is being set
even if only with an empty string.

$_POST array question

$_POST array question

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment