Page 1 of 1

Using extract with post data?

Posted: Wed Aug 25, 2004 11:00 am
by bdeonline
I was reading on how to get post data without have to write:

Code: Select all

<?php $variable = $_POST['variable']; ?>
or GET each time.

So I read that the extract function could do this but is a potential security risk. One is that a would be hacker could add as many fields as they wanted and two they could override existing variables.

So I came up with this in the hopes of making it more secure:

Code: Select all

<?php
if (count($_GET) == 1) {
	extract($_GET, EXTR_SKIP);
}

$admin = "FALSE";

echo $text . "<br />" . $admin;
?>
Anyone know a way they can break this and get the admin to true.

Posted: Wed Aug 25, 2004 11:05 am
by hedge
not sure I understand... you always force it to false so how would it ever be true?

If you are setting the status of your admin var based on a get variable then that could be overridden very easily.

Posted: Wed Aug 25, 2004 11:20 am
by bdeonline
I guess my question is.
Is it just as secure to use:

Code: Select all

<?php
if (count($_GET) == 1) {
   extract($_GET, EXTR_SKIP);
}

$admin = "FALSE";

echo $text . "<br />" . $admin;
?>
as it is to use:

Code: Select all

<?php
$text = $_POST['text'];
?>
Becuse if I had 40 post fields I would have to create 40 variables by hand.

I mean it is limited to the number variables you allow it and it can only use the variables you specify.

Posted: Wed Aug 25, 2004 11:23 am
by markl999
Becuse if I had 40 post fields I would have to create 40 variables by hand.
That would be 40 extra variables as you already have the variables, $_POST['text'] etc..
I'd just stick to using $_POST['text'] rather than create a bunch of unneeded temporary vars, you won't save that many keystrokes by using $_POST['text'] rather than $text and the extra work/uncertainty of using extract() isn't worth it imho.

Posted: Wed Aug 25, 2004 11:27 am
by bdeonline
Problem is you can send $_POST's into mysql without first being a variable

Code: Select all

<?php
mysql_query("INSERT INTO test VALUES ($_POST['text'])");
?>
but you can if its a variable

Code: Select all

<?php
mysql_query("INSERT INTO test VALUES($text)");
?>

Posted: Wed Aug 25, 2004 11:28 am
by markl999
Sure you can.

Code: Select all

mysql_query("INSERT INTO test VALUES ('{$_POST['text']}')");
So instead of '$text' you just use '{$_POST['text']}'

Posted: Wed Aug 25, 2004 11:32 am
by feyd
with the code posted, the second is more secure.

the first one, could create something other than $text that you haven't created yet. For instance, assume the following:

Code: Select all

<?php

if (count($_GET) == 1) {
   extract($_GET, EXTR_SKIP);
}

$blah = array('tell','show','grape');

for($x = 0, $y = sizeof($blah); $x < $y; $x++)
  $foo .= $blah[$x] . ' - ';

echo $foo;
I could pass ?foo=hahahah+you+suck

and it'll echo:

Code: Select all

hahahah you sucktell - show - grape
so be careful with it and how you code.

you could use a safer extract:

Code: Select all

<?php

$accepted_passed_vars = array('larry','curly','moe','shemp','yakko','wakko','dot');
foreach($accepted_passed_vars as $v)
  if(isset($_GET[$v]) $$v = $_GET[$v];
  else $$v = '';

?>

Posted: Wed Aug 25, 2004 11:34 am
by bdeonline
markl999 wrote:Sure you can.

Code: Select all

mysql_query("INSERT INTO test VALUES ('{$_POST['text']}')");
So instead of '$text' you just use '{$_POST['text']}'
Wow didn't know that one. That helps a bunch. And it wouldn't create such a extra overhead as creating extra variables for each post or get would. Thanks.

Posted: Wed Aug 25, 2004 11:35 am
by markl999
The problem with using $text = $_POST['text']; or extract() etc is that you might as well turn register_globals On. register_globals being Off doesn't improve security on it's own, as like you say, you can just do $text = $_POST['text'];
The point is that you should always validate user input before using it, so you should validate $_POST['text'] before using it in a query the same way you'd validate $text