Is it legal to change $_POST

Collapse
This topic is closed.
X
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • Randell D.
    #1

    Is it legal to change $_POST


    Folks,

    When I read data from my form, I sanitize it before recording it in MySQL.
    At the moment, the values in $_POST are cleaned and returned in a new array
    called $formData.

    I found my accident that I could change the value of $_POST thus I was
    thinking it would be better usage of memory (and therefore overall
    performance) if instead of having duplicate data that I instead have the
    cleaned data returned to $_POST.

    I know I *can* do this - what I don't know is if its a feature or a bug (ie
    if I depend on it now will later versions of PHP (either v4 or v5) make such
    a dependancy redundant.

    Can anyone comment on what they advise as being best practice here?

    cheers
    randelld


    Tags: None
    • Jochen Buennagel
      #2
      Re: Is it legal to change $_POST

      Randell D. wrote:[color=blue]
      > I found my accident that I could change the value of $_POST thus I was
      > thinking it would be better usage of memory (and therefore overall
      > performance) if instead of having duplicate data that I instead have the
      > cleaned data returned to $_POST.[/color]

      I recommend doing this, especially when you're working on a project with
      other programmers who might not be so diligent about variable cleaning.

      I work on a CMS project and we clean all user-generated variables right
      at the start, because we know that some 3rd party module developers are
      too lazy to bother, thus breaking security for the whole system.

      Jochen

      --
      /**
      * @author Jochen Buennagel <zang at buennagel dot com>
      */

        Comment

        • Randell D.
          #3
          Re: Is it legal to change $_POST


          "Why?" <why@why.com> wrote in message
          news:bi1e2b$lor $1@bunyip.cc.uq .edu.au...[color=blue]
          > Randell D. wrote:
          >[color=green]
          > > "Jochen Buennagel" <zang@buennagel .com> wrote in message
          > > news:bi1161$a6v $01$1@news.t-online.com...
          > >[color=darkred]
          > >>Randell D. wrote:
          > >>
          > >>>I found my accident that I could change the value of $_POST thus I was
          > >>>thinking it would be better usage of memory (and therefore overall
          > >>>performanc e) if instead of having duplicate data that I instead have[/color][/color][/color]
          the[color=blue][color=green][color=darkred]
          > >>>cleaned data returned to $_POST.
          > >>
          > >>I recommend doing this, especially when you're working on a project with
          > >>other programmers who might not be so diligent about variable cleaning.
          > >>
          > >>I work on a CMS project and we clean all user-generated variables right
          > >>at the start, because we know that some 3rd party module developers are
          > >>too lazy to bother, thus breaking security for the whole system.
          > >>
          > >>Jochen
          > >>
          > >>--
          > >>/**
          > >> * @author Jochen Buennagel <zang at buennagel dot com>
          > >> */
          > >>[/color]
          > >
          > >
          > > Faire comment on cleaning the data - I am aware of the risks - however,[/color][/color]
          my[color=blue][color=green]
          > > question related as to where you keep the cleaned data.
          > >
          > > Do you return your cleaned data to $_POST or do you return it to another
          > > newer variable thus doubling the memory used to retain your user[/color][/color]
          variable[color=blue][color=green]
          > > data.
          > >
          > >[/color]
          >
          > For the scripts I do I have a recursive function that goes through all
          > $_GET, $_POST and $_COOKIE variables and adds slashes to them if
          > auto-slashes is on (not them directly but the contents of the arrays). I
          > simply just modify the variables in place.
          >
          > IMHO, It's perfectly fine to just put the 'cleansed' input data back
          > into the corresponding variables indexes.
          >
          > Cheers,
          > Why.
          >
          >[/color]

          Thanks


            Comment

            • Randell D.
              #4
              Re: Is it legal to change $_POST


              "Jochen Buennagel" <zang@buennagel .com> wrote in message
              news:bi1161$a6v $01$1@news.t-online.com...[color=blue]
              > Randell D. wrote:[color=green]
              > > I found my accident that I could change the value of $_POST thus I was
              > > thinking it would be better usage of memory (and therefore overall
              > > performance) if instead of having duplicate data that I instead have the
              > > cleaned data returned to $_POST.[/color]
              >
              > I recommend doing this, especially when you're working on a project with
              > other programmers who might not be so diligent about variable cleaning.
              >
              > I work on a CMS project and we clean all user-generated variables right
              > at the start, because we know that some 3rd party module developers are
              > too lazy to bother, thus breaking security for the whole system.
              >
              > Jochen
              >
              > --
              > /**
              > * @author Jochen Buennagel <zang at buennagel dot com>
              > */
              >[/color]

              Faire comment on cleaning the data - I am aware of the risks - however, my
              question related as to where you keep the cleaned data.

              Do you return your cleaned data to $_POST or do you return it to another
              newer variable thus doubling the memory used to retain your user variable
              data.


                Comment

                Previous template Next
                Working...