>> $subject and $_POST['subject']

There are a few major differences here when we talk about these two.

First, let's mention register globals [php.net] as the value of this directive [us3.php.net] on your server will play a role in describing the difference. So, for discussion's sake, let's say that register globals is disabled, which is default as of php 4.2.0. So now that we've set the playing area, let's get to explaining.

$subject now is just a variable [php.net] local to the script that it is contained in. The $subject variable is defined by you, the programmer, and takes the form:

$subject = ...something...

Now, $_POST['subject'] is called a superglobal, POST variables [us3.php.net] being part of the predefined list of superglobals [us3.php.net], along with GET, SERVER, etc... This $_POST['subject'] value is coming from a web form somewhere on your site, and the page that has this post variable defined is the action of that form. So $_POST is the superglobal array with all the POSTed information in it, and 'subject' is the index for that specific part of the array where the information is stored for that field. So right there you can see how they are different.

Now, let's say that register globals is enabled on your server, which it sounds like it is. Then $subject and $_POST['subject'] are practically the "same", although not entirely. What register globals does is makes the superglobals I described above appear as regular variables. So not only does $subject match $_POST['subject'], but it could also match $_GET['subject'], $_COOKIE['subject'], etc... Because of this, it is considered a potential security risk and is disabled on most servers. Some older scripts still use it, but you just have to be careful with it.

So, on that note, you should be using the $_POST['subject'] in your query, and since it is user-defined information, you want to properly escape that info, too, using mysql_real_escape_string [php.net](), or an equivalent if you are using other database technologies. We have a few great threads on retrieving information from a database that you might want to look at as it will be a great starting place for you: The basics of extracting data from mysql [webmasterworld.com].

I hope that answers most of the questions. Good luck :)

Oh that explanation was very simple to understand and i really like your dedication and patience to help newbies learn. Thanks a ton! :)

from that article you specified i think i'll have to use the array mysql_fetch_array ( resource result [, int result_type])

function to extract the data and show in the form...
Am i on the right track?

i think it depends on waht you want to do with the data.
you defnitely do not want to use the raw data from $_POST, or $_REQUEST, $_GET, etc.
Make you sure use some kind of filter before processing them.
mysql_real_escape_string(), trim(), stripslashes(),htmlentities() etc are some useful functions you should get to know. see this post for more information. i highly recommend it.
[webmasterworld.com...]

In terms of retrieving data from the database, theres several functions that will accomplish this. Heres one that i typically use.

<?
$query = "select * from table";
$result = mysql_query($query);
while($content = mysql_fetch_assoc($result)){

$id = $content['id']; //id is the field name in table
$username = $content['username']; //same with username
...
}
?>

------CASE 1--------
So that means i should use

$subject = htmlentities(($_POST['subject'])); // for cleaning or similar functions

and then in the mysql queries again i should send $_POST['subject'] as parameter as it will be the $_POST['subject'] (posted on the form by the user) data which is now clean.

Also the cleaned data from htmlentities will be stored in $subject variable [local to the script] so i can also use $subject in the sql queries directly.

I am correct?

-----CASE 2------
If I have something like
$_POST[$subject] = htmlentities(($_POST['subject']));

then the data posted by the user will be cleaned with html() and then the clean values will again be stored in the same global post => it will clean and update itself.

Now i will have to use $_POST['subject'] in mysql queries..

Correct?

Here is a function from PHP_Chimp on this recent thread [webmasterworld.com]

function clean($i){
if (!get_magic_quotes_gpc()){
$i = addslashes($i);
}
$i = rtrim($i);
$look = array('&', '#', '<', '>', '"', '\'', '(', ')');
$safe = array('&amp;', '&#35', '&lt;', '&gt;', '&quot;', '&#39', '&#40;', '&#41;');
$i = str_replace($look, $safe, $i);
return $i;
}

In the same thread dreamcatcher, also posted the following way of simply reaching all in the $_POST array.

$_POST = array_map('clean',$_POST);

You can modify the clean function if you wanted to have more security.

Habtom

Case 1:
You are correct! $subject will now be accessable local to the script and can be used in mysql queries for that script.

Case 2:
I'm not sure why you would want to do this. I know you want to make $subject global, but typically its not done this way. Although this won't throw an error, it will probably not work as it stands. if you want to have it so that all your scripts will be able to "see" $subject after the initial $_POST, there is a much easier way.
If you save it in $_SESSION , you can retrieve it from every other page. you can change it, or delete it at will.

save $subject it in a session var suhc as this.
<?
session_start(); //initialze session, you'll need this on all pages tat uses $_SESSION

$_SESSION['subject'] = clean($_POST['subject']));//where clean is a function to filter your user input
?>

now whenever you need $subject, such as a query, just call $_SESSION['subject'] as so:
$subject = $_SESSION['subject'];
$query = "select * from table where subject='$subject'";

also you may want to use more than htmlentities to clean your inputs.