CodeIgniter Forums
$_POST vs. input->post - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Archived Discussions (https://forum.codeigniter.com/forumdisplay.php?fid=20)
+--- Forum: Archived General Discussion (https://forum.codeigniter.com/forumdisplay.php?fid=21)
+--- Thread: $_POST vs. input->post (/showthread.php?tid=3247)

$_POST vs. input->post - El Forum - 09-19-2007

[eluser]Skinnpenal[/eluser]
Hi!

When enabling Global XSS Filtering, will the data in $_POST be filtered as well, in addition to what I can get from input->post?
And the same question goes for form validation rules like trim, will the result affect $_POST as well, or is the input->post some separate array?

$_POST vs. input->post - El Forum - 09-19-2007

[eluser]Michael Wales[/eluser]
After validation the following 3 ways of accessing your post variables are identical:

Code:
$_POST['var'];
$this->input->post('var');
$this->validation->post;

With Global XSS filtering on, but not using validation, I believe only the first 2 are identical (as the 3rd would not exist).

Personally, I use $this->input->post() for everything - simply for future-compatibility. What if a security feature is added to the input class but doesn't make it's way into the sanitizing of the $_POST array? This is a much more likely scenario than vice-versa ($_POST[] gets the security update but INPUT does not).

$_POST vs. input->post - El Forum - 09-19-2007

[eluser]Skinnpenal[/eluser]
aha, thanks Smile

I have some problems with $this->input->post() when using it with isset() etc., that's why I haven't used the input library yet.

$_POST vs. input->post - El Forum - 09-19-2007

[eluser]alpar[/eluser]
it wouldn't gave you an error, if a post variable doesn't exist, it just returns false.

$_POST vs. input->post - El Forum - 09-19-2007

[eluser]Skinnpenal[/eluser]
actually, if I use this:
Code:
if ( isset( $this->input->post('foo') ) )  { /*...*/ }

I get this:
Code:
Fatal error: Can't use method return value in write context[...]


$_POST vs. input->post - El Forum - 09-19-2007

[eluser]Michael Wales[/eluser]
Yeah, you don't need to worry about checking whether that variable has been set or not - you should check whether it is FALSE or not.

isset() is a strange beast that can return some odd results based on the value (or lack thereof) of a variable (even stranger results if it's an array). I tend to avoid isset() at all costs.

$_POST vs. input->post - El Forum - 09-19-2007

[eluser]Skinnpenal[/eluser]
I see.. thanks for the advice, Michael Smile I guess I'll have to add that to the to-do list, rewriting everything to user the input library. Wink

$_POST vs. input->post - El Forum - 09-19-2007

[eluser]dedenf[/eluser]
indeed, isset() is a strange beast, i prefer to use !empty() to check the value