variables go into db without being retrieved through $_POST

Question

This works but How are the values of the variables being put into the db without retrieving them through the $_POST? Is this something new in php5 or have I just never seen it used this way before?

  <!doctype html>

 <html>

<head>
<title></title>
</head

<body>
<form action="insert.php" method="post">
    First Name: <input type="text" name="fname" /><br>
    Last Name: <input type="text" name="lname" /><br>
    Username:  <input type="text" name="uname" /><br>

    <input type="submit" name="submit" value="Register"/><br>
</form>

</body>
</html>

insert.php

<?php

 $con=mysqli_connect("","","","");
 // Check connection
if (mysqli_connect_errno())
 {
 echo "Failed to connect to MySQL: " . mysqli_connect_error();
 }

$sql="INSERT INTO traders (fname, lname, username)
VALUES
('$fname','$lname','$uname')";

if (!mysqli_query($con,$sql))
{
   die('Error: ' . mysqli_error($con));
} 
echo "1 record added " ;

mysqli_close($con);
?>

Answer 1

No, this is called Register Global and is DEPRECATED long time ago, one should never use this !

When on, register_globals will inject your scripts with all sorts of variables, like request variables from HTML forms. This coupled with the fact that PHP doesn't require variable initialization means writing insecure code is that much easier.

For more information: http://php.net/manual/en/security.globals.php

Answer 2

because you use here register globals option in php which is now deprecated/removed in new versions of php (mainly because of security issues) which translates $_POST['fName'] into $fName

you should always use $_POST/$_GET instead

read more: http://php.net/manual/en/security.globals.php