Could someone please explain why $_POST= array(); isn't an effective way of resetting your $_POST superglobal?
I thought of this when reading this question.
Being an array, I would imagine all elements of that array, be it $_POST or any other, would be reset when re-initializing it.
You are right, $_POST= array(); is fully resetting $_POST!
The answers in the other post are related to
"how to sanitizing/clean the value(s) of $_POST".
This line $_POST=array(); does fully reset the $_POST array.
I guess there is a misunderstanding on your side of the referenced question. The goal of that script isn't to empty $_POST but to sanitize the values.
tscully tries to sanitize values in $_POST (because they are user-input) to be able to "safely" use them further when doing DB operations.
That's why he uses mysql_real_escape_string (Escapes special characters in a string for use in a SQL statement).
what's exactly your question?
unset($_POST) is resetting the superglobal effectively erasing any values in it.
cross-site scripting is that wide subject you won't be able to do the filter on your own.
check this XSS cheat sheet here: http://ha.ckers.org/xss.html
+more info on developing anti-XSS measures here: http://hungred.com/web-development/solutions-crosssite-scripting-xss-attack/
As far as I know, that would do it. It should be noted that this only clears out the POST information, not the GET. The question I would have to ask is why?
