- $_POST
- POST-method variables. Form field data from regular
- POST-method forms.
- PHP automatically creates variables for all the data it receives
- in an HTTP request. This can include GET data, POST data,
- cookie data, and environment variables. The variables are
- either in PHP's global symbol table or in one of a number
- of superglobal arrays, depending on the value of the
- register_globals setting in your php.ini file.
- mysqli_real_escape_string can be add for security reson.
A common error people make when using sessions is that they
tend to use it as a replacement for authentication -- or sometimes
as an add-on
to authentication. Authenticating a user once as he
first enters your site and
then using a session ID to identify that
user throughout the rest of the site
without further authentication
can lead to a lot of problems if another person
is somehow able
to get the session ID. There are a number of ways to get the
session ID:
-
If you are not using SSL, session IDs may be sniffed
-
If you don't have proper entropy in your session IDs,they may be guessed
-
If you are using URL-based session IDs, they mayend up in proxy logs
-
If you are using URL-based session IDs, they mayend up bookmarked on publicly-accessible computers
Forcing HTTP Authentication on each page over SSL is the
most
secure way to avoid this problem, but it tends to be a
bit inconvenient. Just
keep the above points in mind when
building a web application that uses sessions
to store users'
personal details.
