baran
I haven’t done anything on PHP lately so, let’s warm up with a very simple and informative code snippet with PHP POST variable.
First some theory, when a client makes a request to a server, the client can send request variables. If the request is made via the POST method, PHP will helpfully gather up the request variables and put them into a superglobal array called $_POST before your script is started. The array contains data from an external source, therefore it is assumed to be a tainted attack vector.
There are several kinds of data that can be posted to your script from HTML forms. You can have text or hidden or password controls, textarea string(s), checkboxes and radio controls, select dropdowns with single or multiple selections, etc. Each of these input controls may be handled a little differently. But all of them have two important characteristics in common. They have a name and a value. In the $_POST array, the name becomes the associative array key and the value, if any, becomes the associated value. The last (rightmost) key of the same name contains the prevailing value, so if you have two HTML input controls with the same name, only the last one will show up in $_POST. Empty input controls require a little understanding. They are present, but the null string, in the case of most form inputs, except checkbox and radio controls. In these controls, unfired form elements are omitted from the request and you will not find the name in the $_POST array.
You might want to set up some test cases using var_dump() to print out the contents of $_POST. Then you can set up different forms and point the forms to the action script that will show you exactly how the POST request variables are received in your script.
';
// SHOW THE GET REQUEST
echo "GET: ";
var_dump($_GET);
echo PHP_EOL;
// SHOW WHAT WAS RECEIVED IN POST
echo "POST: ";
var_dump($_POST);
echo PHP_EOL;
// CAPTURE THE BUFFER
$posted_data = ob_get_clean();
// SAY THANK YOU
echo "THANK YOU " . date('r');
echo PHP_EOL;
echo $posted_data;
