$_POST question

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
hame22
Forum Contributor
Posts: 214
Joined: Wed May 11, 2005 5:50 am

$_POST question

Post by hame22 »

Hi i have been wondering for a little while whether there is a quicker process of assigning varibales to $_POST[] variables.


For example I have a form that produces 20 $_POST variables $_POST['username'], $_POST['pwd']...etc

at the moment I then do

$username = $_POST['username'] 20 times, which is very tiresome!!

is there a quicker way i can do this process??

thanks all
User avatar
JayBird
Admin
Posts: 4524
Joined: Wed Aug 13, 2003 7:02 am
Location: York, UK
Contact:

Post by JayBird »

it is best to do it that way, it is more secure, but if you are lazy, you could just do...

Code: Select all

extract($_POST);
User avatar
patrikG
DevNet Master
Posts: 4235
Joined: Thu Aug 15, 2002 5:53 am
Location: Sussex, UK

Post by patrikG »

Pimptastic wrote:it is best to do it that way, it is more secure, but if you are lazy, you could just do...

Code: Select all

extract($_POST);
which is a security hole (see: viewtopic.php?t=36903 ).

Always, always, always, always filter user-input by only allowing what you expect as input and nothing else. Otherwise, you're leaving the door to a couple of days in hell wide open. ;)
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

I will often create a whitelist for post handling. The whitelist contains the names of elements, along with types and may contain size limiters, if needed.. but that can be overcomplicated (sorta) for some.. a simple whitelist would be, like patrik suggested, just a filter based on the element names. Here's the quick and untested idea:

Code: Select all

function postFilter($elementName) {
  $whitelist = array('ab','ac','ag','bf');
  return in_array($elementName, $whitelist);
}

$cleanedPost = array_filter($_POST,'postFilter');
After you've cleaned the post data, you can use a separate function to extract out all the fields. I would suggest using the whitelist again so it can create variables for missing data so you don't have to deal with checking if the variable exists, but simply that it wasn't in the stream (set to false, since data in the post will be strings, numbers or arrays of the same.
User avatar
JayBird
Admin
Posts: 4524
Joined: Wed Aug 13, 2003 7:02 am
Location: York, UK
Contact:

Post by JayBird »

patrikG wrote:
which is a security hole (see: viewtopic.php?t=36903 )
that's what i said ;)
Post Reply