Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Page 1 of 2 12 LastLast
Results 1 to 15 of 16
  1. #1
    Regular Coder
    Join Date
    Jun 2007
    Location
    Maryland, USA
    Posts
    165
    Thanks
    12
    Thanked 0 Times in 0 Posts

    $_POST and $_GET variable setting

    This is an extremely simple snippet, but it's something that has saved me a lot of time since I started using it.

    It will take all of your form's inputs and convert them into php variables with the correct variable names and values.

    So, for example, you need not ever write $input = $_POST['input']; again. This will take care of all of that for you using "variable variables".

    PHP Code:
    foreach ($_POST as $key => $value){
        $
    $key $value;
    }
    foreach (
    $_GET as $key => $value){
        $
    $key $value;

    Maybe this is just common sense, but until I figured this out on my own, I went about things the long way. I never saw anyone use this in their code.
    Last edited by madmatter23; 03-15-2008 at 09:41 PM.

  • #2
    Senior Coder CFMaBiSmAd's Avatar
    Join Date
    Oct 2006
    Location
    Denver, Colorado USA
    Posts
    3,025
    Thanks
    2
    Thanked 314 Times in 306 Posts
    Your code has no protection against overwriting existing program variables, so a hacker could just visit your site with any $_GET variable he wanted and he could set or change your existing program variables, such as to say he is logged in or that he is an administrator...

    Besides, there is already an existing php function to do this, and it has a flag that will prevent overwriting existing variables - http://php.net/extract
    If you are learning PHP, developing PHP code, or debugging PHP code, do yourself a favor and check your web server log for errors and/or turn on full PHP error reporting in php.ini or in a .htaccess file to get PHP to help you.

  • #3
    Senior Coder
    Join Date
    Aug 2003
    Location
    One step ahead of you.
    Posts
    2,815
    Thanks
    0
    Thanked 3 Times in 3 Posts
    THis is extreemly insecure. This is register_globals reinvented only worse as you can overwrite varaibles.
    I'm not sure if this was any help, but I hope it didn't make you stupider.

    Experience is something you get just after you really need it.
    PHP Installation Guide Feedback welcome.

  • #4
    Regular Coder
    Join Date
    Sep 2007
    Location
    Grahamstown, South Africa
    Posts
    237
    Thanks
    6
    Thanked 17 Times in 17 Posts
    Hmmm.

    Yeah using it with $_GET is unacceptable, however I have used it for multiple $_POST formatting before.

    What I use is in_array and list out the variables, then loop through each $_POST variable and if the key does not match then it is discarded. Dont know if that is the safest way of doing it, but thats just how I do it.

  • #5
    Senior Coder kbluhm's Avatar
    Join Date
    Apr 2007
    Location
    Philadelphia, PA, USA
    Posts
    1,509
    Thanks
    3
    Thanked 258 Times in 254 Posts
    That undesirable piece of code can be rewritten much more simple as:
    PHP Code:
    extract$_POST );
    extract$_GET ); 
    But don't do this. It is lazy and can be extremely insecure.

    In the order you have the two variables, $_GET will overwrite $_POST... so anyone can name any input they'd like.

    This topic should be removed. Horrible snippet. Useless.

  • #6
    Regular Coder
    Join Date
    Jun 2007
    Location
    Maryland, USA
    Posts
    165
    Thanks
    12
    Thanked 0 Times in 0 Posts
    Hm, yeah, I didn't know about extract(), but I'm happy to learn about it. I should use it as
    PHP Code:
    extract($_POSTEXTR_SKIP);
    extract($_GETEXTR_SKIP); 
    I had been using that previous snippet in an admin panel, which first checks that you've logged in securely before executing the extraction code, so I didn't really consider the security. But you're absolutely right.

    Thanks for the info.

  • #7
    Regular Coder thesmart1's Avatar
    Join Date
    Dec 2005
    Posts
    369
    Thanks
    7
    Thanked 3 Times in 3 Posts
    Quote Originally Posted by idalatob View Post
    Hmmm.

    Yeah using it with $_GET is unacceptable, however I have used it for multiple $_POST formatting before.

    What I use is in_array and list out the variables, then loop through each $_POST variable and if the key does not match then it is discarded. Dont know if that is the safest way of doing it, but thats just how I do it.
    You shouldn't do that for $_POST either, as form fields can easily be added or changed. I use Firefox, with the Firebug extension, so I could very easily edit the HTML and add a form field for the PHP script to use.

    Creating an array of $_POST keys to use is a good idea and seems secure to me. I have done this in the past, as it makes it easy to add parameters to a script from a form input.

    Quote Originally Posted by kbluhm View Post
    But don't do this. It is lazy and can be extremely insecure.
    Laziness can actually be a good thing, to streamline code and make it execute faster, however it is bad when it compromises security.

  • #8
    Regular Coder
    Join Date
    Oct 2004
    Location
    London E4 UK
    Posts
    320
    Thanks
    0
    Thanked 0 Times in 0 Posts
    oh dear, I'm using that and wonderful I thought it too

    so for a rank idiot, what's the sound way to do it?

    to key in by hand every GET or Post as appropriate into every php page that needs to receive variables?

    thanks, I can just about make pages do what I need them to, very vague on security and hacking

  • #9
    New Coder
    Join Date
    Mar 2008
    Location
    Somerset, England
    Posts
    93
    Thanks
    0
    Thanked 10 Times in 10 Posts
    The way I do it is by using extract, with EXTR_PREFIX_ALL, this ensures that variables won't be overwritten.

    PHP Code:
    <?php
    // $_POST contains name, email and password

    extract($_POSTEXTR_PREFIX_ALL'details');

    // We now have the following variables
    // $details_name
    // $details_email
    // $details_password
    ?>
    Obviously this doesn't take care of validation or cleaning up of the values, but that's beyond the scope of this thread.

  • #10
    Regular Coder
    Join Date
    Jun 2007
    Location
    Maryland, USA
    Posts
    165
    Thanks
    12
    Thanked 0 Times in 0 Posts
    The only issue that I have with using extract is that it is not compatible with mysql_real_escape_string(), which can only be used on variables, not arrays.

    So, unfortunately
    Code:
    extract(mysql_real_escape_string($_POST), EXTR_PREFIX_ALL, 'details');
    Doesn't work.

    I've used
    PHP Code:
    foreach ($_POST as $key => $value){
        $
    $key mysql_real_escape_string($value);
    }
    foreach (
    $_GET as $key => $value){
        $
    $key mysql_real_escape_string($value);

    Instead.
    I only use this in situations where there is not chance of an important variable being overwritten.

    Is there a better way to do this?

  • #11
    New Coder
    Join Date
    Mar 2008
    Location
    Somerset, England
    Posts
    93
    Thanks
    0
    Thanked 10 Times in 10 Posts
    PHP Code:
    <?php
    $details 
    = array();
    foreach(
    $_POST as $key => $val) {
      
    $details[$key] = mysql_real_escape_string($val);
    }
    extract($detailsEXTR_PREFIX_ALL'details');
    ?>

  • #12
    Senior Coder kbluhm's Avatar
    Join Date
    Apr 2007
    Location
    Philadelphia, PA, USA
    Posts
    1,509
    Thanks
    3
    Thanked 258 Times in 254 Posts
    RMcLeod: That is not a very well thought out piece of code.

    It is assuming the info will immediately be going into a MySQL database in it's current form. A connection must be present as well to use mysql_real_escape_string().

    Nowhere does the OP mention sending the data to a database. He mentioned taking info from $_POST and $_GET for re-use. If you run it through mysql_real_escape_string() the values are not equal to the original submitted values.

    Your code is also not checking whether magic_quotes are enabled, which at this point in time is still entirely possible.

    The value I'm great! could potentially be set to I\\\'m great! with the presence of magic_quotes, or at the very least I\'m great! without them.
    Last edited by kbluhm; 06-12-2008 at 06:04 PM.

  • #13
    New Coder
    Join Date
    Mar 2008
    Location
    Somerset, England
    Posts
    93
    Thanks
    0
    Thanked 10 Times in 10 Posts
    Quote Originally Posted by kbluhm View Post
    RMcLeod: That is not a very well thought out piece of code.

    It is assuming the info will immediately be going into a MySQL database in it's current form. A connection must be present as well to use mysql_real_escape_string().

    Nowhere does the OP mention sending the data to a database. He mentioned taking info from $_POST and $_GET for re-use. If you run it through mysql_real_escape_string() the values are not equal to the original submitted values.

    Your code is also not checking whether magic_quotes are enabled, which at this point in time is still entirely possible.

    The value I'm great! could potentially be set to I\\\'m great! with the presence of magic_quotes, or at the very least I\'m great! without them.
    This is in answer to the question directly above my post, where he specifically asked about mysql_real_escape_string, not the original post! Maybe I should have quoted him just to make this clear, as you obviously missed it.

  • #14
    Senior Coder kbluhm's Avatar
    Join Date
    Apr 2007
    Location
    Philadelphia, PA, USA
    Posts
    1,509
    Thanks
    3
    Thanked 258 Times in 254 Posts
    Ah, I did miss that, sorry about that.

  • #15
    JRM
    JRM is offline
    New Coder
    Join Date
    Feb 2009
    Location
    Oxford
    Posts
    31
    Thanks
    0
    Thanked 5 Times in 5 Posts

    Smile listing existing variables

    Ahoy all there Debuggers, hope You'll find it useful as this saved me some time.
    Should You need to list recived variables You can do the following:

    PHP Code:
      $q explode("&",$_SERVER["QUERY_STRING"]);
    foreach (
    $q as $qi)
    {
      if (
    $qi != "")
      {
        
    $qa explode("=",$qi);
        list (
    $key$val) = $qa;
        if (
    $val){
          echo 
    $key;
          echo 
    '=';
          echo $
    $key urldecode($val);
          echo 
    '</br>';
          }
      }
    }
     
    reset ($_POST);
    while (list (
    $key$val) = each ($_POST))
    {
      if (
    $val){
          echo 
    $key;
          echo 
    '=';
          echo $
    $key $val;
          echo 
    '</br>';
        }

    Last edited by JRM; 05-03-2009 at 10:59 PM. Reason: improvement


  •  
    Page 1 of 2 12 LastLast

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •