Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived General Discussion $_POST vs. input->post
$_POST vs. input->post
  • El Forum
    Guest
  •  
#1
09-19-2007, 11:45 AM

[eluser]Skinnpenal[/eluser]
Hi!

When enabling Global XSS Filtering, will the data in $_POST be filtered as well, in addition to what I can get from input->post?
And the same question goes for form validation rules like trim, will the result affect $_POST as well, or is the input->post some separate array?
  • El Forum
    Guest
  •  
#2
09-19-2007, 02:07 PM

[eluser]Michael Wales[/eluser]
After validation the following 3 ways of accessing your post variables are identical:

Code:
$_POST['var'];
$this->input->post('var');
$this->validation->post;

With Global XSS filtering on, but not using validation, I believe only the first 2 are identical (as the 3rd would not exist).

Personally, I use $this->input->post() for everything - simply for future-compatibility. What if a security feature is added to the input class but doesn't make it's way into the sanitizing of the $_POST array? This is a much more likely scenario than vice-versa ($_POST[] gets the security update but INPUT does not).
  • El Forum
    Guest
  •  
#3
09-19-2007, 02:14 PM

[eluser]Skinnpenal[/eluser]
aha, thanks Smile

I have some problems with $this->input->post() when using it with isset() etc., that's why I haven't used the input library yet.
  • El Forum
    Guest
  •  
#4
09-19-2007, 02:24 PM

[eluser]alpar[/eluser]
it wouldn't gave you an error, if a post variable doesn't exist, it just returns false.
  • El Forum
    Guest
  •  
#5
09-19-2007, 02:30 PM

[eluser]Skinnpenal[/eluser]
actually, if I use this:
Code:
if ( isset( $this->input->post('foo') ) )  { /*...*/ }

I get this:
Code:
Fatal error: Can't use method return value in write context[...]
  • El Forum
    Guest
  •  
#6
09-19-2007, 02:33 PM

[eluser]Michael Wales[/eluser]
Yeah, you don't need to worry about checking whether that variable has been set or not - you should check whether it is FALSE or not.

isset() is a strange beast that can return some odd results based on the value (or lack thereof) of a variable (even stranger results if it's an array). I tend to avoid isset() at all costs.
  • El Forum
    Guest
  •  
#7
09-19-2007, 02:38 PM

[eluser]Skinnpenal[/eluser]
I see.. thanks for the advice, Michael Smile I guess I'll have to add that to the to-do list, rewriting everything to user the input library. Wink
  • El Forum
    Guest
  •  
#8
09-19-2007, 10:11 PM

[eluser]dedenf[/eluser]
indeed, isset() is a strange beast, i prefer to use !empty() to check the value




Theme © iAndrew 2016 - Forum software by © MyBB