Using define() for website Name

I have a page with a form like so:

        <form method="POST" action="scripts/save-settings2.php">
            <div id="posts">
                <div class="post">
                    <div>
                        <label for="siteName">Site Name</label>
                        <div class="input-wrap">
                            <input value="<?php echo constant('siteName'); ?>" type="text" name="siteName" />
                        </div>
                    </div>
                    <input type="submit" value="Save" />
                    <a href="posts.php" class="cancel">C开发者_Go百科ancel</a>
                </div>  <!--Post--> 
            </div>  <!--Posts-->    
        </form>

The values of the inputs are sent to this script:

include '../includes/database-login.php';
if (isset($_POST['siteName'])) {
$siteName = mysql_real_escape_string($_POST['siteName']);
define("siteName", "$siteName");
header('Location: ../settings.php');
} else {
header( 'Location: ../newpost-error.php' );
}

What I am trying to do is take what the users fills into the siteName input field, and define it as the constant "siteName" so I can echo the constant elsewhere on the site. For some reason this isn't working. Have I made some obvious mistake here?

---

defines only last the life of the script execution, they will not last through a redirect

have a look at sessions, and storing the site name in a session

// store in session
$_SESSION['siteName'] = $siteName;

// retrieve from session
$siteName = $_SESSION['siteName']';

---

I don't believe the constant will stay if you change page.

---

Change this:

define("siteName", "$siteName");

To this:

define("siteName", $siteName);

It will be better to set siteName upper case, and if you want to cho the content of the constant do this:

echo siteName;

---

Constants in programming should only really be used for things which are known before the execution even begins and which will never change. Like this typical example:

// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'database_name_here');
/** MySQL database username */
define('DB_USER', 'username_here');
/** MySQL database password */
define('DB_PASSWORD', 'password_here');

Don't use constants for user input. And constants should always use THE_ALL_CAPS_NAMING_SCHEME.

If you really just want to use a variable all over your application you can use a super global.

Also constants just like variables are only stored in memory while your program executes - as soon as the execution is finished the values disappear.

If you want to use a value in multiple requests you would either store it in a database, a cache mechanism like Memcached or Redis or session storage. Note that the session relies on cookies in the browser and is vulnerable to many kinds of hacks.

If you are building a content management system than you should be saving this data in the database - not in the session as recommended by some of the other answers. As the session is a kind of personal storage and will not be the same for different users.

Additionally don't use mysql_real_escape_string it does not properly prevent SQL injection attacks when used to sanitize database input and does not prevent XSS attacks where users inject malicious javascript into the page.

• How to prevent XSS with HTML/PHP?
• How can I prevent SQL injection in PHP?