madmatter23 03-15-2008, 09:39 PM This is an extremely simple snippet, but it's something that has saved me a lot of time since I started using it.
It will take all of your form's inputs and convert them into php variables with the correct variable names and values.
So, for example, you need not ever write $input = $_POST['input']; again. This will take care of all of that for you using "variable variables".
foreach ($_POST as $key => $value){
$$key = $value;
}
foreach ($_GET as $key => $value){
$$key = $value;
}
Maybe this is just common sense, but until I figured this out on my own, I went about things the long way. I never saw anyone use this in their code.
CFMaBiSmAd 03-15-2008, 10:11 PM Your code has no protection against overwriting existing program variables, so a hacker could just visit your site with any $_GET variable he wanted and he could set or change your existing program variables, such as to say he is logged in or that he is an administrator...
Besides, there is already an existing php function to do this, and it has a flag that will prevent overwriting existing variables - http://php.net/extract
marek_mar 03-16-2008, 03:35 AM THis is extreemly insecure. This is register_globals reinvented only worse as you can overwrite varaibles.
idalatob 03-16-2008, 12:45 PM Hmmm.
Yeah using it with $_GET is unacceptable, however I have used it for multiple $_POST formatting before.
What I use is in_array and list out the variables, then loop through each $_POST variable and if the key does not match then it is discarded. Dont know if that is the safest way of doing it, but thats just how I do it.
kbluhm 03-16-2008, 06:47 PM That undesirable piece of code can be rewritten much more simple as:
extract( $_POST );
extract( $_GET );
But don't do this. It is lazy and can be extremely insecure.
In the order you have the two variables, $_GET will overwrite $_POST... so anyone can name any input they'd like.
This topic should be removed. Horrible snippet. Useless.
madmatter23 03-16-2008, 07:32 PM Hm, yeah, I didn't know about extract(), but I'm happy to learn about it. I should use it as
extract($_POST, EXTR_SKIP);
extract($_GET, EXTR_SKIP);
I had been using that previous snippet in an admin panel, which first checks that you've logged in securely before executing the extraction code, so I didn't really consider the security. But you're absolutely right.
Thanks for the info.
thesmart1 03-16-2008, 07:35 PM Hmmm.
Yeah using it with $_GET is unacceptable, however I have used it for multiple $_POST formatting before.
What I use is in_array and list out the variables, then loop through each $_POST variable and if the key does not match then it is discarded. Dont know if that is the safest way of doing it, but thats just how I do it.
You shouldn't do that for $_POST either, as form fields can easily be added or changed. I use Firefox, with the Firebug extension, so I could very easily edit the HTML and add a form field for the PHP script to use.
Creating an array of $_POST keys to use is a good idea and seems secure to me. I have done this in the past, as it makes it easy to add parameters to a script from a form input.
But don't do this. It is lazy and can be extremely insecure.
Laziness can actually be a good thing, to streamline code and make it execute faster, however it is bad when it compromises security.
Tynan 06-04-2008, 03:09 PM oh dear, I'm using that and wonderful I thought it too
so for a rank idiot, what's the sound way to do it?
to key in by hand every GET or Post as appropriate into every php page that needs to receive variables?
thanks, I can just about make pages do what I need them to, very vague on security and hacking
RMcLeod 06-05-2008, 09:27 AM The way I do it is by using extract, with EXTR_PREFIX_ALL, this ensures that variables won't be overwritten.
<?php
// $_POST contains name, email and password
extract($_POST, EXTR_PREFIX_ALL, 'details');
// We now have the following variables
// $details_name
// $details_email
// $details_password
?>
Obviously this doesn't take care of validation or cleaning up of the values, but that's beyond the scope of this thread.
madmatter23 06-12-2008, 05:33 AM The only issue that I have with using extract is that it is not compatible with mysql_real_escape_string(), which can only be used on variables, not arrays.
So, unfortunately
extract(mysql_real_escape_string($_POST), EXTR_PREFIX_ALL, 'details');
Doesn't work.
I've used
foreach ($_POST as $key => $value){
$$key = mysql_real_escape_string($value);
}
foreach ($_GET as $key => $value){
$$key = mysql_real_escape_string($value);
}
Instead.
I only use this in situations where there is not chance of an important variable being overwritten.
Is there a better way to do this?
RMcLeod 06-12-2008, 11:19 AM <?php
$details = array();
foreach($_POST as $key => $val) {
$details[$key] = mysql_real_escape_string($val);
}
extract($details, EXTR_PREFIX_ALL, 'details');
?>
kbluhm 06-12-2008, 06:02 PM RMcLeod: That is not a very well thought out piece of code.
It is assuming the info will immediately be going into a MySQL database in it's current form. A connection must be present as well to use mysql_real_escape_string().
Nowhere does the OP mention sending the data to a database. He mentioned taking info from $_POST and $_GET for re-use. If you run it through mysql_real_escape_string() the values are not equal to the original submitted values.
Your code is also not checking whether magic_quotes are enabled, which at this point in time is still entirely possible.
The value I'm great! could potentially be set to I\\\'m great! with the presence of magic_quotes, or at the very least I\'m great! without them.
RMcLeod 06-13-2008, 08:45 AM RMcLeod: That is not a very well thought out piece of code.
It is assuming the info will immediately be going into a MySQL database in it's current form. A connection must be present as well to use mysql_real_escape_string().
Nowhere does the OP mention sending the data to a database. He mentioned taking info from $_POST and $_GET for re-use. If you run it through mysql_real_escape_string() the values are not equal to the original submitted values.
Your code is also not checking whether magic_quotes are enabled, which at this point in time is still entirely possible.
The value I'm great! could potentially be set to I\\\'m great! with the presence of magic_quotes, or at the very least I\'m great! without them.
This is in answer to the question directly above my post, where he specifically asked about mysql_real_escape_string, not the original post! Maybe I should have quoted him just to make this clear, as you obviously missed it.
kbluhm 06-13-2008, 12:16 PM Ah, I did miss that, sorry about that.
Ahoy all there Debuggers, hope You'll find it useful as this saved me some time.
Should You need to list recived variables You can do the following:
$q = explode("&",$_SERVER["QUERY_STRING"]);
foreach ($q as $qi)
{
if ($qi != "")
{
$qa = explode("=",$qi);
list ($key, $val) = $qa;
if ($val){
echo $key;
echo '=';
echo $$key = urldecode($val);
echo '</br>';
}
}
}
reset ($_POST);
while (list ($key, $val) = each ($_POST))
{
if ($val){
echo $key;
echo '=';
echo $$key = $val;
echo '</br>';
}
}
:)
idalatob 08-03-2009, 12:55 PM ok, its a bit old but i'll show you my method
if (isset($_POST['submit_form'])){
$values = array();
$accepted = array('name','surname','email','etc');
foreach ($_POST as $key=>$value){
if (in_array($key,$accepted)){
$values["form_" . $key] = mysql_real_escape_string($value);
}
}
}
if (isset($values)){
extract($values);
}
wrote this really quickly without testing. I want to know if this is safe or not?
|
|
