do not access superglobal $_post array directly

do not access superglobal $_post array directly is a commonly met notification when using Netbeans editor. It is a safety warning to avoid cases of SQL injection. Injection errors are so dangerous because hackers can attack to get passwords and edit data. The methods they use to attack forms are through posting and getting.

In another article, we will perform the attacking methods, and precaution approaches with SQL injection. In this one, we will use methods of getting data without using variables $_POST or  $_GETas normal. If we follow this way, Netbeans will not display notification do not access superglobal $_post array directly anymore.

In PHP in common and other source codes in general, there are two techniques that form uses are getting and posting. In the previous lesson, we practice using form a lot. If input includes a name that is data, getting data will be $_POST[‘data’] or $_GET[‘data’] depending on the method that form uses, getting or posting.

In this article, we do not use these two above methods but use filter_input (INPUT_POST, ‘data’,FILTER_SANITIZE_STRING) instead. We will check the two below examples in order to prove that data can be got in two ways.

You start apache on xampp. If you use other software, do it similarly. In folder D:\XAMPP\htdocs, you create form folder. Create file index.hph including content as below:

<?php
/**
* @author TRAN DINH HONG
* @copyright 2018
*/
echo "filter_input : ".filter_input (INPUT_POST, 'data',FILTER_SANITIZE_STRING) ;
echo "<br/>$ _POST['data'] :".$_POST['data']
?>
<br /><br />
<form method="post">
<input type="text" name="data" />
<input type="submit" />
<style>
body{width: 321px;
margin: auto;
margin-top: 150px;
height: 60px;
border: 1px solid #ddd;
padding: 30px;}
</style>
</form>

After implementing and entering content, for example, “this is data”, both two ways lead to the same result.

do not access superglobal $_post array directly
We have solved the problem related to security of form. do not access superglobal $_post array directly is the only one in many notifications in editing software. Specifically, they are notifications relating to syntax errors, security errors, or updates. Following these notifications not only help our code be visual, easy to read but also make our projects safer.
Currently, creating any website also needs to use form. Many websites are built by using apps, plugins, form builder modules while others are generated by self-writing codes. So, understanding about security well is very important.
You can download the code below for convenient using and checking.

Leave a Reply

Your email address will not be published. Required fields are marked *