I've just completed my registration form for my website and for the action page where all the SQL takes place I've just skipped assigning the POST variable to actual ones, like this...
$username = $_POST['username'];
Instead I've just been using the POST variables throughout the PHP page. Are there any risks or errors that can be met whilst practicing?
Also, excuse me if I am using incorrect terminology...
One risk you might be running is dealing with raw user data, still saved in the raw $_POST[]
variable. I tend to save all the raw data I work with to other variables, like you mentioned with $username = $_POST['username']
so I can manipulate and sanitize that input more efficiently. Rather than save any adjustments I make to the global $_POST
array, all my changes are saved temporarily and at a more manageable scope.
For example:
$username = mysql_real_escape_string($_POST['username']);
... is better than:
$_POST['username'] = mysql_real_escape_string($_POST['username']);
It's generally better to leave the raw user data as is and make your adjustments in other variables.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With