[ Team LiB ] Previous Section Next Section

Importing User Input into Global Scope

It is possible, but not recommended, to import fields from a form submission into global variables. This behavior was once the default for PHP. Although it was useful for quick scripts, it represented a security risk, with the prospect of user-submitted values overwriting script variables. You can change the new default by altering the php.ini file. You can also import user input explicitly with the import_request_variables() function. This function requires a string representing the types to import and another optional but advisable string that adds a prefix to all imported variable names. The types argument can be any combination of g, p and c, standing for get, post, and cookies, respectively. If you only use one or two of these letters, then only the corresponding parameters are imported. The order is important in that earlier types are overwritten by later ones. That is, with the string gp, get variables are overwritten by post variables of the same name. Suppose an input element called username is submitted via the get method:

<input type="text" name="username" />

We could call import_request_variables() in the following way:

import_request_variables( "g", "import_" );

This line would create a global variable called $import_username, containing the user-submitted value for the username field. All other fields submitted would be similarly imported.

    [ Team LiB ] Previous Section Next Section