Page 1 of 2 12 Last
  • Jump to page:
    #1
  1. A Change of Season
    Devshed Frequenter (2500 - 2999 posts)

    Join Date
    Mar 2004
    Location
    Next Door
    Posts
    2,688
    Rep Power
    171

    How can I generate "variable names" from posted data?


    Hello;

    I am trying to shorten the code below but I don't know the right way. I appreciate little bit of help. Thank you.



    My current code (parts):
    PHP Code:
    $ad_suburb $this->input->post('ad_suburb') ? $this->input->post('ad_suburb') : ""
    $ad_address $this->input->post('ad_address') ? $this->input->post('ad_address') : ""
    $ad_da $this->input->post('ad_da') ? $this->input->post('ad_da') : ""

    #################
    #####And then######
    #################
    $this->smarty->assign("ad_suburb"$ad_suburb);
    $this->smarty->assign("ad_address"$ad_address);
    $this->smarty->assign("ad_da"$ad_da); 
    I tried this which obviously failed:
    PHP Code:
    foreach($_POST as $value=>$row)
        {
            $.
    '$value'$this->input->post('$value') ? $this->input->post('$value') : ""
        } 
    Code:
     // print_r($_POST):
    Array
    (
        [ad_title] => titleee
        [search] => 21
        [ad_suburb] => suburb name
        [ad_address] => address
        [ad_da] => 30 December, 2012
        [altFormat] => 2012-12-30
        [ad_rent] => 321
        [ad_bond] => 111
        [ad_email] => ff@ww.lk
        [ad_phone] => 4444444444
        [ad_yob] => 2009
        [ad_sex] => m
        [ad_smoking_habbit] => smoker
    )
  2. #2
  3. A Change of Season
    Devshed Frequenter (2500 - 2999 posts)

    Join Date
    Mar 2004
    Location
    Next Door
    Posts
    2,688
    Rep Power
    171
    I managed to make it smaller but I am sure it can still be more optimized:
    PHP Code:
    if($_POST)
        {
            foreach(
    $_POST as $var=>$row)
                {
                    
    $this->smarty->assign($var$this->input->post($var) ? $row "");
                }
        }
    else
        {
            
    $this->smarty->assign("ad_title""");
            
    $this->smarty->assign("ad_suburb""");
            
    $this->smarty->assign("ad_address""");
            
    $this->smarty->assign("ad_da""");
            
    $this->smarty->assign("altFormat""");
            
    $this->smarty->assign("ad_rent""");
            
    $this->smarty->assign("ad_bond""");
            
    $this->smarty->assign("ad_email""");
            
    $this->smarty->assign("ad_phone""");
            
    $this->smarty->assign("ad_yob""");
            
    $this->smarty->assign("ad_sex""");
            
    $this->smarty->assign("ad_smoking_habbit"""); 
        } 
  4. #3
  5. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Hi,

    Smarty can access the POST array directly with $smarty.post:

    http://www.smarty.net/docsv2/en/lang...les.smarty.tpl

    If that wasn't possible, you'd simply assign the whole POST array.
  6. #4
  7. Mad Scientist
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Oct 2007
    Location
    North Yorkshire, UK
    Posts
    3,661
    Rep Power
    4124
    PHP Code:
    //very very poor practice
    foreach($_POST as $key => $val) {
        $
    $key $val;

    lets say we have a variable called $i, and it has the value 42;

    Then we "import" the post variables like above

    lets say someone posted a value for i, so that $_POST['i'] = 87;

    this then over rides your original value for i.

    I hear you say that you'll be careful not to have forms posting values with keys that could interfere with your variables.

    To think like this is naive, ignorant and foolish.

    Anyone can post any values they like with any keys to any page on the web

    This is an example of a security hole - you should only work with the user submitted values you need and are expecting.

    This is why we put anti XSS and anti XSRF methods in place and my example code goes some way to compromising these safeguards

    Comments on this post

    • Jacques1 agrees : You're absolutely right.
    I said I didn't like ORM!!! <?php $this->model->update($this->request->resources[0])->set($this->request->getData())->getData('count'); ?>

    PDO vs mysql_* functions: Find a Migration Guide Here

    [ Xeneco - T'interweb Development ] - [ Are you a Help Vampire? ] - [ Read The manual! ] - [ W3 methods - GET, POST, etc ] - [ Web Design Hell ]
  8. #5
  9. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    You're right, Northie, but do note that PHP actively encourages dumping user input into variables. I mean, register_globals has more or less died out, but extract() lives on and keeps being used.

    But since you don't need all this, anway, it shouldn't be a problem here.
  10. #6
  11. Transforming Moderator
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    14,294
    Rep Power
    9400
    Even more fun example of why $$var and extract() are bad:
    Code:
    <input type="hidden" name="_SESSION[username]" value="admin" />
  12. #7
  13. A Change of Season
    Devshed Frequenter (2500 - 2999 posts)

    Join Date
    Mar 2004
    Location
    Next Door
    Posts
    2,688
    Rep Power
    171
    Originally Posted by Northie
    To think like this is naive, ignorant and foolish.

    Anyone can post any values they like with any keys to any page on the web

    This is an example of a security hole - you should only work with the user submitted values you need and are expecting.

    This is why we put anti XSS and anti XSRF methods in place and my example code goes some way to compromising these safeguards
    Hello are you saying this is the most efficient and secure way of doing it?
    PHP Code:
    $ad_suburb $this->input->post('ad_suburb') ? $this->input->post('ad_suburb') : ""
    $ad_address $this->input->post('ad_address') ? $this->input->post('ad_address') : ""
    $ad_da $this->input->post('ad_da') ? $this->input->post('ad_da') : ""
    Last edited by zxcvbnm; November 26th, 2012 at 10:05 PM.
  14. #8
  15. Contributing User
    Devshed Novice (500 - 999 posts)

    Join Date
    Sep 2002
    Location
    Seattle, U.S.A.
    Posts
    712
    Rep Power
    13
    Another way to do it, maybe a tad less tedious as what you wrote out is to use a whitelist switch statement:

    PHP Code:
    foreach ($_POST as $key => $value) {
                switch( 
    $key ) {
                    case 
    "ad_title":
                    case 
    "ad_suburb":
                    case 
    "ad_da":
                        
    $this->smarty->assign$key$value );
                        break;;
                    default:
                        
    // this isnt whitelisted
                        
    break;
                }
            } 
  16. #9
  17. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Since nobody seems to read replies anymore, let me scream it out loud:

    SMARTY CAN ACCESS POST PARAMETERS (AND GET AND SERVER ...) DIRECTLY USING $smarty.post

    No need for loops, switches, whatever.

    Read the manual (and my replies from time to time).
  18. #10
  19. A Change of Season
    Devshed Frequenter (2500 - 2999 posts)

    Join Date
    Mar 2004
    Location
    Next Door
    Posts
    2,688
    Rep Power
    171
    Originally Posted by Jacques1
    Since nobody seems to read replies anymore, let me scream it out loud:

    SMARTY CAN ACCESS POST PARAMETERS (AND GET AND SERVER ...) DIRECTLY USING $smarty.post

    No need for loops, switches, whatever.

    Read the manual (and my replies from time to time).
    Hello Jacques. Thank you, I read and applied your reply. I was waiting until I do more research to make sure I've got it right. So far:
    Code:
    <input class="input_text" type="text" name="ad_bond" value="{if isset($smarty.post.ad_bond) }{$smarty.post.ad_bond}{/if}" />
    I assume the thread changed direction from it's original.
    Cheers
  20. #11
  21. Mad Scientist
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Oct 2007
    Location
    North Yorkshire, UK
    Posts
    3,661
    Rep Power
    4124
    What is the point of trying to extract your variables into the current scope? They exist in super global scope any way.

    If you really really really want to extract them into your own code somewhere then use a registry class and tag/annotate/otherwise flag the variables to say that they came from GET, POST, SERVER, COOKIE, etc.

    Knowing where your variables came from is more important than you may think and is the first step in wring secure code


    eg

    PHP Code:
    //quick, dirty and untested

    class Request {

        private 
    $store = array();
        
        private static 
    $instance;
        
        private function 
    __construct() {
        
        }
        
        public static function 
    Load() {
            if(!isset(
    self::$instance)) {
                
    self::$instance = new __CLASS__;
            }
            
            return 
    self::$instance;
        }
        

        public function 
    set($data,$type) {
            
    $this->store[$type] = $data;
        }

        public function 
    get($type,$key=false) {
            if(
    $key) {
                return 
    $this->store[$type][$key]
            }
        
            return 
    $this->store[$type];
        }
    }

    Request::Load()->set($_GET,'GET');
    Request::Load()->set($_POST,'POST');
    Request::Load()->set($_SERVER,'SERVER');
    Request::Load()->set($_COOKIE,'COOKIE'); 
    Registry classes can be useful, but using them as a direct replacement for (super) global variables is discouraged
    I said I didn't like ORM!!! <?php $this->model->update($this->request->resources[0])->set($this->request->getData())->getData('count'); ?>

    PDO vs mysql_* functions: Find a Migration Guide Here

    [ Xeneco - T'interweb Development ] - [ Are you a Help Vampire? ] - [ Read The manual! ] - [ W3 methods - GET, POST, etc ] - [ Web Design Hell ]
  22. #12
  23. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    @ zxcvbnm:

    You forgot the escaping.

    Apart from that, yes, that's the correct way.



    Regarding the discussion about variables:

    Even when it's not about values from POST, GET etc. (Northie already talked about that), I can't think of any situation where it might make sense to dynamically create loads of variables.

    It's cumbersome, potentially dangerous, can easily lead to naming conflicts, is hard to manage and "pollutes" the scope -- and what's the benefit? To save a few characters?

    When you have a lot of related data you need to save, just put it in an array.

    Comments on this post

    • Northie agrees
  24. #13
  25. A Change of Season
    Devshed Frequenter (2500 - 2999 posts)

    Join Date
    Mar 2004
    Location
    Next Door
    Posts
    2,688
    Rep Power
    171
    Fellows;

    I understand there are some good reasons why it is not a good idea to have dynamic variable names, thank you.

    I wonder now, if I have 40 fields, do I have to do this for each posted value?
    PHP Code:
    $ad_suburb $this->input->post('ad_suburb') ? $this->input->post('ad_suburb') : ""
    $ad_address $this->input->post('ad_address') ? $this->input->post('ad_address') : ""
    $ad_da $this->input->post('ad_da') ? $this->input->post('ad_da') : "";
    .
    .

    Thanks
  26. #14
  27. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Originally Posted by zxcvbnm
    I wonder now, if I have 40 fields, do I have to do this for each posted value?
    Why do you even want to do that in the first place? What's the point of putting every value $this->input->post('xyz') into a variable $xyz?

    Sure, the latter is 21 characters shorter. So what? If you're using a proper IDE, you have autocomplete, anyway.

    So my question would be: Do you have an actual reason to put every POST value into a variable instead of simply accessing $this->input directly? Or isn't this rather a kind of bad habit?
  28. #15
  29. Mad Scientist
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Oct 2007
    Location
    North Yorkshire, UK
    Posts
    3,661
    Rep Power
    4124
    maybe its a good design practice for code igniter, but what's wrong with using $_POST['ad_da'] when you need it?

    Or, as Jacques1 has repeatedly said, using $smarty.post.ad_da ????
    I said I didn't like ORM!!! <?php $this->model->update($this->request->resources[0])->set($this->request->getData())->getData('count'); ?>

    PDO vs mysql_* functions: Find a Migration Guide Here

    [ Xeneco - T'interweb Development ] - [ Are you a Help Vampire? ] - [ Read The manual! ] - [ W3 methods - GET, POST, etc ] - [ Web Design Hell ]
Page 1 of 2 12 Last
  • Jump to page:

IMN logo majestic logo threadwatch logo seochat tools logo