Using extract with post data?

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
bdeonline
Forum Commoner
Posts: 42
Joined: Sun Jul 18, 2004 10:45 am

Using extract with post data?

Post by bdeonline »

I was reading on how to get post data without have to write:

Code: Select all

<?php $variable = $_POST['variable']; ?>
or GET each time.

So I read that the extract function could do this but is a potential security risk. One is that a would be hacker could add as many fields as they wanted and two they could override existing variables.

So I came up with this in the hopes of making it more secure:

Code: Select all

<?php
if (count($_GET) == 1) {
	extract($_GET, EXTR_SKIP);
}

$admin = "FALSE";

echo $text . "<br />" . $admin;
?>
Anyone know a way they can break this and get the admin to true.
hedge
Forum Contributor
Posts: 234
Joined: Fri Aug 30, 2002 10:19 am
Location: Calgary, AB, Canada

Post by hedge »

not sure I understand... you always force it to false so how would it ever be true?

If you are setting the status of your admin var based on a get variable then that could be overridden very easily.
bdeonline
Forum Commoner
Posts: 42
Joined: Sun Jul 18, 2004 10:45 am

Post by bdeonline »

I guess my question is.
Is it just as secure to use:

Code: Select all

<?php
if (count($_GET) == 1) {
   extract($_GET, EXTR_SKIP);
}

$admin = "FALSE";

echo $text . "<br />" . $admin;
?>
as it is to use:

Code: Select all

<?php
$text = $_POST['text'];
?>
Becuse if I had 40 post fields I would have to create 40 variables by hand.

I mean it is limited to the number variables you allow it and it can only use the variables you specify.
User avatar
markl999
DevNet Resident
Posts: 1972
Joined: Thu Oct 16, 2003 5:49 pm
Location: Manchester (UK)

Post by markl999 »

Becuse if I had 40 post fields I would have to create 40 variables by hand.
That would be 40 extra variables as you already have the variables, $_POST['text'] etc..
I'd just stick to using $_POST['text'] rather than create a bunch of unneeded temporary vars, you won't save that many keystrokes by using $_POST['text'] rather than $text and the extra work/uncertainty of using extract() isn't worth it imho.
bdeonline
Forum Commoner
Posts: 42
Joined: Sun Jul 18, 2004 10:45 am

Post by bdeonline »

Problem is you can send $_POST's into mysql without first being a variable

Code: Select all

<?php
mysql_query("INSERT INTO test VALUES ($_POST['text'])");
?>
but you can if its a variable

Code: Select all

<?php
mysql_query("INSERT INTO test VALUES($text)");
?>
User avatar
markl999
DevNet Resident
Posts: 1972
Joined: Thu Oct 16, 2003 5:49 pm
Location: Manchester (UK)

Post by markl999 »

Sure you can.

Code: Select all

mysql_query("INSERT INTO test VALUES ('{$_POST['text']}')");
So instead of '$text' you just use '{$_POST['text']}'
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

with the code posted, the second is more secure.

the first one, could create something other than $text that you haven't created yet. For instance, assume the following:

Code: Select all

<?php

if (count($_GET) == 1) {
   extract($_GET, EXTR_SKIP);
}

$blah = array('tell','show','grape');

for($x = 0, $y = sizeof($blah); $x < $y; $x++)
  $foo .= $blah[$x] . ' - ';

echo $foo;
I could pass ?foo=hahahah+you+suck

and it'll echo:

Code: Select all

hahahah you sucktell - show - grape
so be careful with it and how you code.

you could use a safer extract:

Code: Select all

<?php

$accepted_passed_vars = array('larry','curly','moe','shemp','yakko','wakko','dot');
foreach($accepted_passed_vars as $v)
  if(isset($_GET[$v]) $$v = $_GET[$v];
  else $$v = '';

?>
bdeonline
Forum Commoner
Posts: 42
Joined: Sun Jul 18, 2004 10:45 am

Post by bdeonline »

markl999 wrote:Sure you can.

Code: Select all

mysql_query("INSERT INTO test VALUES ('{$_POST['text']}')");
So instead of '$text' you just use '{$_POST['text']}'
Wow didn't know that one. That helps a bunch. And it wouldn't create such a extra overhead as creating extra variables for each post or get would. Thanks.
User avatar
markl999
DevNet Resident
Posts: 1972
Joined: Thu Oct 16, 2003 5:49 pm
Location: Manchester (UK)

Post by markl999 »

The problem with using $text = $_POST['text']; or extract() etc is that you might as well turn register_globals On. register_globals being Off doesn't improve security on it's own, as like you say, you can just do $text = $_POST['text'];
The point is that you should always validate user input before using it, so you should validate $_POST['text'] before using it in a query the same way you'd validate $text
Post Reply