Page 1 of 1

Manipulating $_POST: good or bad!?

Posted: Mon Nov 29, 2004 11:41 am
by StAn.666
Hello there,

is it possible to alter the $_POST-Values (well, obviously it IS possible 'cause it works fine, but are there any security-problems?) like this:

Code: Select all

function check_values($ARR) {   
        $error = false;         
        $errortext = "";
                    
        $phone = ereg_replace("ї/,\, ]","",trim($ARRї"Phone"]));
        $phone = ereg_replace("-","",$phone);
        $fax = ereg_replace("ї/,\, ]","",trim($ARRї"Fax"]));
        $fax = ereg_replace("-","",$Fax);

        $_POST = array(
                "Anrede"          => $ARRї"Anrede"],
                "Name"            => trim($ARRї"Name"]),
                "Vorname"       => trim($ARRї"Vorname"]),
                "Titel"               => trim($ARRї"Titel"]),
                "Adresse"        => trim($ARRї"Adresse"]),
                "PLZ"              => trim($ARRї"PLZ"]),
                "Ort"               => trim($ARRї"Ort"]),
                "Phone"          => $phone,
                "Fax"               => $fax,
                "eMail"             => trim($ARRї"eMail"]),
                "Login"            => trim($ARRї"Login"]),
                "Pass"             => trim($ARRї"Pass"])
        );

        // the rest of the code doesn't matter
The purpose of this is to filter certain characters out of some fields after submitting a form and pass the altered $_POST-Array to another form...

Posted: Mon Nov 29, 2004 11:54 am
by kettle_drum
You can if you want, but it means that you write over the original values that you may want to check later on in a script. Its probably a better idea to place the sanitized version of the POST and GET arrays into new arrays so that you still have the original incase you ever need it.

Posted: Mon Nov 29, 2004 11:56 am
by Maugrim_The_Reaper
Why not just let the user submit to your action url - presumably a PHP file - and just do your filtering prior to letting anything be done with the data.

I think you just mixed up the description...

Security - need a bit more. Be aware of what each form field should be passing. If your form is going to pass a string, with a maxlen setting of 30, where special characters are not allowed - check all this on the other side.

Code: Select all

<?php
if(!is_string($data) || strlen($data) > 30 || etc. etc.)
{
    //bad data - the rules for this variable were broken
}
?>
I known its a dry subject but security issues and proper validation will save you heaps of problems if anyone takes a fancy to tampering with your urls or dreaming up extra POST data...:)

Posted: Mon Nov 29, 2004 1:55 pm
by rehfeld
ive always thought it to be bad practice, and never do it.

when you access data from a superglobal, you expect it to be a certain way, (unmodified)

if you later come back to the script a year later, or someone else has to modify it, they will most likely assume the info
in the superglobals is unmodified. but if its modified, it could cause one helluva headache trying to debug it.
of course if the script is small this is less likely to happen, but why even do it if its potentialy bad?
its just one more thing to have to remember.

Posted: Mon Nov 29, 2004 8:29 pm
by McGruff
I'd agree about making copy arrays: if you needed to redisplay a form it's best to echo out exactly what the user entered (after applying htmlspecialchars of course).

I've recently been using a Request object to store validated user input (ie filtered, copy arrays of GPC), as well as one or two other bits and pieces such as a boolean flag to show if the user is authorised to proceed with the current http request.

Posted: Tue Nov 30, 2004 9:15 am
by protokol
One argument _for_ manipulating the array is to format data. You can clean up strings by using [php_man]trim[/php_man]() to remove extra whitespace, etc. which is nice when the user is filling out forms that he missed values in. Or if a value is just completely invalid, you can remove it from the array and bam, they have to re-enter it.

so it's not really a problem, is it!?

Posted: Tue Nov 30, 2004 9:30 am
by StAn.666
Thanx for your quick replies.

The purpose of all this is:
-----------------------------------------------
- function call: show_form()
The form is printed out

- User enters Personal Infomation into the form

-> SUBMIT (target is $PHP_SELF)
- the $_POST-Array is passed to a funtion called validate_input(). This funtion checkes all values and filters invalid characters (e.g. '",-/) out of vars like phone-number, etc. and puts them back into the Post-Array

-> if the input is invalid the function show_form is called again with the Post-Array as optional-Parameter.


This might be not very stylish :oops: but it doesn't damage anything or let's the load go up, does it!?

Posted: Tue Nov 30, 2004 9:32 am
by protokol
It shouldn't 'damage' anything. People just have different opinions on design methods. If you can support your reasoning behind a method, then use it.

Posted: Tue Nov 30, 2004 10:16 am
by StAn.666
protokol wrote:It shouldn't 'damage' anything.
People just have different opinions on design methods. If you can support your reasoning behind a method, then use it.
That's what i wanted to hear! :lol:

Posted: Tue Nov 30, 2004 11:42 am
by protokol
That doesn't mean that your code doesn't cause unexpected side effects. So make sure you analyze the flow and determine if such side-effects can occur.

Posted: Tue Nov 30, 2004 2:54 pm
by Christopher
I think YAGNI and IKIFNI come into play here. Given that the request for PHP is so simple and focused (e.g. check predefined form vars and show the form or done) that I find 99% of the time I just don't need to every get to the original copies. If that's the case, why do the copy and use the extra memory. Just modify the superglobals and know that is an assumption of your app.

On the other hand, if you have a framework that for some reason needs the originals regularly then do the copy.