First off - I understand the security implications of register_globals - please no lectures!
I have some forms that use variables that come in through the form. Rather than use $_REQUEST I think the stuff was written long ago and it uses $name instead.
I am using an environment that unsets globals so if I set "name" in the form it is not available in the script.
Is there a way that I could iterate through the $_REQUEST array and create a variable with the name of the key and the value? In other words...
When I encounter $_REQUEST['name'] I want to create a variable $name and give it the $_REQUEST['name'] value.
Possible?
register_globals workaround
Moderator: General Moderators
- Christopher
- Site Administrator
- Posts: 13596
- Joined: Wed Aug 25, 2004 7:54 pm
- Location: New York, NY, US
For a little security, maybe something like this:
Code: Select all
// assume that you have unset all globals previously
// define regex filters
$expected = array(
'name' => '/[^a-zA-Z\-\ ]/',
'age' => '/[^0-9]/',
'date' => '/[^0-9\/]/',
);
// loop through expected params, filter value and assign to variable
foreach ($expected as $name => $regex) {
if (isset($_REQUEST[$name]) {
$$name = preg_replace($regex, '', $_REQUEST[$name]);
}
}(#10850)
- stereofrog
- Forum Contributor
- Posts: 386
- Joined: Mon Dec 04, 2006 6:10 am
Re: register_globals workaround
flycast wrote: When I encounter $_REQUEST['name'] I want to create a variable $name and give it the $_REQUEST['name'] value.
Code: Select all
extract($_REQUEST);- John Cartwright
- Site Admin
- Posts: 11470
- Joined: Tue Dec 23, 2003 2:10 am
- Location: Toronto
- Contact:
Re: register_globals workaround
I know this is the simplest way to do this, but allowing the user to inject any variables into the script that arn't properly initialized may open up security holes. I'd stick with arborint's suggestion of white listing the variable names you want.stereofrog wrote:flycast wrote: When I encounter $_REQUEST['name'] I want to create a variable $name and give it the $_REQUEST['name'] value.Code: Select all
extract($_REQUEST);