The POST request is usually preferred (because it avoids placing unsightly data in the browser’s address bar), and so we use it here. The
web server bundles up all of the user input (even if the form was filled out with a hundred fields) and puts in into an array named $_POST.

Depending on whether a form has been set to use the POST or the GET method, either the $_POST or the $_GET associative array will be populated with the form data. They can both be read in exactly the same way.

Each field has an element in the array named after that field. So, if a form contains a field named isbn, the $_POST array contains an element keyed by the word isbn. The PHP program can read that field by referring to either $_POST[‘isbn’] or $_POST[“isbn”] (single and double quotes have the same effect in this case).

There is no reason to write to an element in the $_POST array. Its
only purpose is to communicate information from the browser to
the program, and you’re better off copying data to your own variables before altering it.

So, back to the get_post function, which passes each item it retrieves through the real_escape_string method of the connection object to escape any quotes that a hacker may have inserted in order to break into or alter your database, like this:

function get_post($conn, $var)
{
return $conn->real_escape_string($_POST[$var]);
}