2

for form process what's better ? (secure/fast)

Layout Form :

<form id="myForm" name="frm1" action="insert.php" method="post">
<textarea name="content" id="content" cols="35" rows="5"></textarea>
<INPUT type=submit value="submit" name=submit></form>

Insert php :

<?php
if (( 'POST' == $_SERVER['REQUEST_METHOD'])) {
 //php validation code
} else {
 exit();
}
?>

Or 

<?php
if (!isset($_POST['submit'])) {
 //php validation code
} else {
 exit();
}
?>
Jasper
76.1k14 gold badges153 silver badges148 bronze badges
asked Dec 12, 2011 at 17:26
2
  • what form are you trying to process? Commented Dec 12, 2011 at 17:32
  • I personally prefer the former. I don't know that there is a correct answer Commented Dec 12, 2011 at 17:39

5 Answers 5

1

The second one, definitely. It's more readable. and even more logical

<?php 
if (isset($_POST['submit'])) { //php validation code
 //do something 
}
else
{
 exit();
} 
?>
answered Dec 12, 2011 at 17:44
Sign up to request clarification or add additional context in comments.

Comments

1

You should generally be checking whether or not the data exists that you are going to process. Along those lines, your second method is preferred, but don't assume people are going to click your submit button.

I have a couple other notes for you while I'm at it. You should really close your <input> tag with /> at the end of it.

Also, while you can make comparisons like ('POST' == $_SERVER['REQUEST_METHOD']), writing them in that order makes little sense. Flip it around like this: ($_SERVER['REQUEST_METHOD'] == 'POST')

answered Dec 12, 2011 at 17:44

Comments

1

Speed is irrelevant here. In terms of security these two cakes of code are diferents...

if (( 'POST' == $_SERVER['REQUEST_METHOD']))
{//php validation code
}
else 
{exit();}

Here you are testing if the request method of your page is post, and then you do your validations.

if (!isset($_POST['submit'])) 
{//php validation code
}
else
{exit();}

Here you are testing if there is a value in the post values that has the key "submit". You are assuming that a field has this name, but that is not necessarily true. You can have post values with any field named "submit".

The real security concern here are your validation tests.

answered Dec 12, 2011 at 17:46

2 Comments

if merge if (( 'POST' == $_SERVER['REQUEST_METHOD'])) && isset($_POST['submit']) { ... }else { ... } Now?
I guess that when php fills the $_POST array is when the request method is post. It is redundant to check this.
0 
if (!isset($_POST['submit'])) 
{//php validation code
}
else
{exit();}

Second one makes more sense to me.

answered Dec 13, 2011 at 13:30

Comments

0

The second answer is the best, because you're only checking on your submit button. The other one is checking for just a post .

answered Dec 13, 2011 at 13:34

Comments

Your Answer

Draft saved
Draft discarded

Sign up or log in

Sign up using Google
Sign up using Email and Password

Post as a guest

Required, but never shown

Post as a guest

Required, but never shown

By clicking "Post Your Answer", you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.