#1
  1. A Change of Season
    Devshed Loyal (3000 - 3499 posts)

    Join Date
    Mar 2004
    Location
    Next Door
    Posts
    3,159
    Rep Power
    220

    Is redirect to $_POST dangerous?


    Hi;

    Is this bad practise to redirect like this after updates?

    PHP Code:
    redirect(base_url('view-task/'.$_POST['task_id'])); 
    If so, what's the solution?

    Thanks
  2. #2
  3. Lazy Moderator
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    16,268
    Rep Power
    9645
    As long as you had validated the task_id earlier then it's fine.

    To avoid confusion, don't use $_POST. Use another variable, like $taskid. Even if it was just
    PHP Code:
    $taskid $_POST['task_id']; 
  4. #3
  5. A Change of Season
    Devshed Loyal (3000 - 3499 posts)

    Join Date
    Mar 2004
    Location
    Next Door
    Posts
    3,159
    Rep Power
    220
    Ummm how is that confusing? Again I am missing the point.
    I thought I keep it simple with $_POST.
  6. #4
  7. Lazy Moderator
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    16,268
    Rep Power
    9645
    Using $_POST directly raises the question of whether the code validated/verified/sanitized/whatever the value. If I saw that statement then an alarm would go off in my head and I'd have to go back through the rest of the code looking to see if there was a problem.

    On the other hand, a variable is more obvious: there was deliberate action taken to give this variable a value, and presumably a safe one, so I don't need to worry. I might still wonder whether $taskid is safe, but if not then it's easy to simply fix the $taskid value (shouldn't do that with $_POST) by modifying the code that creates it, and/or to add a little check after the assignment to ensure it's safe.

IMN logo majestic logo threadwatch logo seochat tools logo