THE SUPERGLOBAL ARRAY $_POST
With the POST method, the values are not passed to the URL. If we open the developer tools (F12) then network tab redo the request, click on the PHP file we notice that the data is passed through the Payload.
In the Headers tab we have the request and response, which is the information that client and server have exchanged. With the POST method, the values are not passed to the URL. One thing never to do is to trust what the user types into the text boxes, it can in fact introduce malicious code or appropriate irrelevant permissions. If inside an input field we pass some malicious javascript code this will be executed when the submit button is pressed.
To avoid this kind of problem we can use the function htmlspecialchars. If we now try to rerun the script we will have:
The javascript code is no longer executed the special characters thanks to htmlspecialchars are converted to HTML characters.
As far as the POST method is concerned, it is preferable to GET because the data does not travel in the URL, also the amount of data we can send with GET is less than with the POST method. We can use GET when the data traveling in the URL is not sensitive data. Data whether we use GET or POST are constructed and encoded by the enctype attribute. Regarding the POST method we can have an enctype value multipart/form-data which is useful when we want to transmit files. So in conclusion Arrays $_GET and $_POST contain the information sent from the client to the server.
DEEPENING
The $_POST superglobal array in PHP is one of PHP’s default variables, known as “superglobal,” that is used to collect data from an HTML form that uses the POST method to send the information to the server.
Main characteristics of the $_POST array:
1. Superglobal: The $_POST array is accessible from anywhere in your PHP script, without the need to declare it globally. This means that you can access it inside functions, methods, or outside of them without any problems.
2. Associative: The $_POST array is an associative array, which means that each element is stored in key-value pairs. The “key” is the name of the HTML form field (name), while the “value” is the content entered by the user in that field.
3. Security: Data transmitted via the POST method is not visible in the browser address bar, unlike the GET method. This makes $_POST more secure for sending sensitive data, such as passwords or personal information.
Example of use:
Imagine you have an HTML form that requires the user to enter his or her nome and email:
<form action=”processa_dati.php” method=”POST“>
Nome: <input type=”text” name=”nome“>
Email: <input type=”email” name=”email“>
<input type=”submit” value=”Invia“>
</form>
In the file processa_dati.php, you can collect and manage the submitted data with the following code:
<?php
$nome = $_POST[‘nome’];
$email = $_POST[’email’];
echo “Nome: ” . $nome . ” “;
echo “Email: ” . $email;
?>
Security Considerations:
– Sanitization and Validation: It is important to remember to always sanitize and validate data received via $_POST before using it, to prevent vulnerabilities such as SQL injection or XSS (Cross-Site Scripting).
– Use of filter_input: For added security, you can use the filter_input function to collect and filter the data in the $_POST array:
$nome = filter_input(INPUT_POST, ‘nome‘, FILTER_SANITIZE_STRING);
$email = filter_input(INPUT_POST, ‘email‘, FILTER_VALIDATE_EMAIL);
In this way, you reduce the risk of accepting malicious or incorrect data.
The $_POST array, then, is a powerful and flexible tool for handling user input in your PHP scripts, but it must be used carefully to ensure web application security.
Leave A Comment