Manipulating $_POST: good or bad!?

Not for 'how-to' coding questions but PHP theory instead, this forum is here for those of us who wish to learn about design aspects of programming with PHP.

Moderator: General Moderators

Post Reply
StAn.666
Forum Newbie
Posts: 6
Joined: Fri Oct 29, 2004 9:07 am
Location: Bavaria, Germany

Manipulating $_POST: good or bad!?

Post by StAn.666 »

Hello there,

is it possible to alter the $_POST-Values (well, obviously it IS possible 'cause it works fine, but are there any security-problems?) like this:

Code: Select all

function check_values($ARR) {   
        $error = false;         
        $errortext = "";
                    
        $phone = ereg_replace("ї/,\, ]","",trim($ARRї"Phone"]));
        $phone = ereg_replace("-","",$phone);
        $fax = ereg_replace("ї/,\, ]","",trim($ARRї"Fax"]));
        $fax = ereg_replace("-","",$Fax);

        $_POST = array(
                "Anrede"          => $ARRї"Anrede"],
                "Name"            => trim($ARRї"Name"]),
                "Vorname"       => trim($ARRї"Vorname"]),
                "Titel"               => trim($ARRї"Titel"]),
                "Adresse"        => trim($ARRї"Adresse"]),
                "PLZ"              => trim($ARRї"PLZ"]),
                "Ort"               => trim($ARRї"Ort"]),
                "Phone"          => $phone,
                "Fax"               => $fax,
                "eMail"             => trim($ARRї"eMail"]),
                "Login"            => trim($ARRї"Login"]),
                "Pass"             => trim($ARRї"Pass"])
        );

        // the rest of the code doesn't matter
The purpose of this is to filter certain characters out of some fields after submitting a form and pass the altered $_POST-Array to another form...
kettle_drum
DevNet Resident
Posts: 1150
Joined: Sun Jul 20, 2003 9:25 pm
Location: West Yorkshire, England

Post by kettle_drum »

You can if you want, but it means that you write over the original values that you may want to check later on in a script. Its probably a better idea to place the sanitized version of the POST and GET arrays into new arrays so that you still have the original incase you ever need it.
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Post by Maugrim_The_Reaper »

Why not just let the user submit to your action url - presumably a PHP file - and just do your filtering prior to letting anything be done with the data.

I think you just mixed up the description...

Security - need a bit more. Be aware of what each form field should be passing. If your form is going to pass a string, with a maxlen setting of 30, where special characters are not allowed - check all this on the other side.

Code: Select all

<?php
if(!is_string($data) || strlen($data) > 30 || etc. etc.)
{
    //bad data - the rules for this variable were broken
}
?>
I known its a dry subject but security issues and proper validation will save you heaps of problems if anyone takes a fancy to tampering with your urls or dreaming up extra POST data...:)
rehfeld
Forum Regular
Posts: 741
Joined: Mon Oct 18, 2004 8:14 pm

Post by rehfeld »

ive always thought it to be bad practice, and never do it.

when you access data from a superglobal, you expect it to be a certain way, (unmodified)

if you later come back to the script a year later, or someone else has to modify it, they will most likely assume the info
in the superglobals is unmodified. but if its modified, it could cause one helluva headache trying to debug it.
of course if the script is small this is less likely to happen, but why even do it if its potentialy bad?
its just one more thing to have to remember.
McGruff
DevNet Master
Posts: 2893
Joined: Thu Jan 30, 2003 8:26 pm
Location: Glasgow, Scotland

Post by McGruff »

I'd agree about making copy arrays: if you needed to redisplay a form it's best to echo out exactly what the user entered (after applying htmlspecialchars of course).

I've recently been using a Request object to store validated user input (ie filtered, copy arrays of GPC), as well as one or two other bits and pieces such as a boolean flag to show if the user is authorised to proceed with the current http request.
User avatar
protokol
Forum Contributor
Posts: 353
Joined: Fri Jun 21, 2002 7:00 pm
Location: Cleveland, OH
Contact:

Post by protokol »

One argument _for_ manipulating the array is to format data. You can clean up strings by using [php_man]trim[/php_man]() to remove extra whitespace, etc. which is nice when the user is filling out forms that he missed values in. Or if a value is just completely invalid, you can remove it from the array and bam, they have to re-enter it.
StAn.666
Forum Newbie
Posts: 6
Joined: Fri Oct 29, 2004 9:07 am
Location: Bavaria, Germany

so it's not really a problem, is it!?

Post by StAn.666 »

Thanx for your quick replies.

The purpose of all this is:
-----------------------------------------------
- function call: show_form()
The form is printed out

- User enters Personal Infomation into the form

-> SUBMIT (target is $PHP_SELF)
- the $_POST-Array is passed to a funtion called validate_input(). This funtion checkes all values and filters invalid characters (e.g. '",-/) out of vars like phone-number, etc. and puts them back into the Post-Array

-> if the input is invalid the function show_form is called again with the Post-Array as optional-Parameter.


This might be not very stylish :oops: but it doesn't damage anything or let's the load go up, does it!?
User avatar
protokol
Forum Contributor
Posts: 353
Joined: Fri Jun 21, 2002 7:00 pm
Location: Cleveland, OH
Contact:

Post by protokol »

It shouldn't 'damage' anything. People just have different opinions on design methods. If you can support your reasoning behind a method, then use it.
StAn.666
Forum Newbie
Posts: 6
Joined: Fri Oct 29, 2004 9:07 am
Location: Bavaria, Germany

Post by StAn.666 »

protokol wrote:It shouldn't 'damage' anything.
People just have different opinions on design methods. If you can support your reasoning behind a method, then use it.
That's what i wanted to hear! :lol:
User avatar
protokol
Forum Contributor
Posts: 353
Joined: Fri Jun 21, 2002 7:00 pm
Location: Cleveland, OH
Contact:

Post by protokol »

That doesn't mean that your code doesn't cause unexpected side effects. So make sure you analyze the flow and determine if such side-effects can occur.
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Post by Christopher »

I think YAGNI and IKIFNI come into play here. Given that the request for PHP is so simple and focused (e.g. check predefined form vars and show the form or done) that I find 99% of the time I just don't need to every get to the original copies. If that's the case, why do the copy and use the extra memory. Just modify the superglobals and know that is an assumption of your app.

On the other hand, if you have a framework that for some reason needs the originals regularly then do the copy.
(#10850)
Post Reply