Page 1 of 1
$_POST question
Posted: Thu Jan 05, 2006 6:22 am
by hame22
Hi i have been wondering for a little while whether there is a quicker process of assigning varibales to $_POST[] variables.
For example I have a form that produces 20 $_POST variables $_POST['username'], $_POST['pwd']...etc
at the moment I then do
$username = $_POST['username'] 20 times, which is very tiresome!!
is there a quicker way i can do this process??
thanks all
Posted: Thu Jan 05, 2006 6:57 am
by JayBird
it is best to do it that way, it is more secure, but if you are lazy, you could just do...
Posted: Thu Jan 05, 2006 7:33 am
by patrikG
Pimptastic wrote:it is best to do it that way, it is more secure, but if you are lazy, you could just do...
which is a security hole (see:
viewtopic.php?t=36903 ).
Always, always, always, always filter user-input by only allowing what you expect as input and nothing else. Otherwise, you're leaving the door to a couple of days in hell wide open.

Posted: Thu Jan 05, 2006 7:48 am
by feyd
I will often create a whitelist for post handling. The whitelist contains the names of elements, along with types and may contain size limiters, if needed.. but that can be overcomplicated (sorta) for some.. a simple whitelist would be, like patrik suggested, just a filter based on the element names. Here's the quick and untested idea:
Code: Select all
function postFilter($elementName) {
$whitelist = array('ab','ac','ag','bf');
return in_array($elementName, $whitelist);
}
$cleanedPost = array_filter($_POST,'postFilter');
After you've cleaned the post data, you can use a separate function to extract out all the fields. I would suggest using the whitelist again so it can create variables for missing data so you don't have to deal with checking if the variable exists, but simply that it wasn't in the stream (set to false, since data in the post will be strings, numbers or arrays of the same.
Posted: Thu Jan 05, 2006 8:06 am
by JayBird
that's what i said
