How can I generate "variable names" from posted data?

Dev Shed Forums Sponsor:

November 26th, 2012, 03:43 AM

zxcvbnm

A Change of Season

Dev Shed Intermediate (1500 - 1999 posts)

Join Date: Mar 2004

Posts: 1,672

Time spent in forums: 2 Weeks 5 Days 17 h 10 m 32 sec
Reputation Power: 71

How can I generate "variable names" from posted data?

Hello;

I am trying to shorten the code below but I don't know the right way. I appreciate little bit of help. Thank you.

My current code (parts):

PHP Code:


		
			
 $ad_suburb = $this->input->post('ad_suburb') ? $this->input->post('ad_suburb') : ""; 

$ad_address = $this->input->post('ad_address') ? $this->input->post('ad_address') : ""; 

$ad_da = $this->input->post('ad_da') ? $this->input->post('ad_da') : ""; 



#################

#####And then######

#################

$this->smarty->assign("ad_suburb", $ad_suburb);

$this->smarty->assign("ad_address", $ad_address);

$this->smarty->assign("ad_da", $ad_da);

I tried this which obviously failed:

PHP Code:


		
			
foreach($_POST as $value=>$row)

    {

        $.'$value'= $this->input->post('$value') ? $this->input->post('$value') : ""; 

    }

Code:

 // print_r($_POST):
Array
(
    [ad_title] => titleee
    [search] => 21
    [ad_suburb] => suburb name
    [ad_address] => address
    [ad_da] => 30 December, 2012
    [altFormat] => 2012-12-30
    [ad_rent] => 321
    [ad_bond] => 111
    [ad_email] => ff@ww.lk
    [ad_phone] => 4444444444
    [ad_yob] => 2009
    [ad_sex] => m
    [ad_smoking_habbit] => smoker
)

November 26th, 2012, 05:20 AM

zxcvbnm

A Change of Season

Join Date: Mar 2004

Posts: 1,672

Time spent in forums: 2 Weeks 5 Days 17 h 10 m 32 sec
Reputation Power: 71

I managed to make it smaller but I am sure it can still be more optimized:

PHP Code:


		
			
if($_POST)

    {

        foreach($_POST as $var=>$row)

            {

                $this->smarty->assign($var, $this->input->post($var) ? $row : "");

            }

    }

else

    {

        $this->smarty->assign("ad_title", "");

        $this->smarty->assign("ad_suburb", "");

        $this->smarty->assign("ad_address", "");

        $this->smarty->assign("ad_da", "");

        $this->smarty->assign("altFormat", "");

        $this->smarty->assign("ad_rent", "");

        $this->smarty->assign("ad_bond", "");

        $this->smarty->assign("ad_email", "");

        $this->smarty->assign("ad_phone", "");

        $this->smarty->assign("ad_yob", "");

        $this->smarty->assign("ad_sex", "");

        $this->smarty->assign("ad_smoking_habbit", ""); 

    }

November 26th, 2012, 07:03 AM

Jacques1

pollyanna

Join Date: Jul 2012

Location: Germany

Posts: 2,033

Time spent in forums: 1 Month 2 Weeks 6 Days 20 h 59 m 13 sec
Reputation Power: 812

Hi,

Smarty can access the POST array directly with $smarty.post:

http://www.smarty.net/docsv2/en/lan...bles.smarty.tpl

If that wasn't possible, you'd simply assign the whole POST array.

November 26th, 2012, 09:11 AM

Northie

Square Peg in a Round Hole

Join Date: Oct 2007

Location: North Yorkshire, UK

Posts: 3,439

Time spent in forums: 3 Weeks 5 Days 14 h 20 m 45 sec
Reputation Power: 3896

PHP Code:


		
			
//very very poor practice

foreach($_POST as $key => $val) {

    $$key = $val;

}

lets say we have a variable called $i, and it has the value 42;

Then we "import" the post variables like above

lets say someone posted a value for i, so that $_POST['i'] = 87;

this then over rides your original value for i.

I hear you say that you'll be careful not to have forms posting values with keys that could interfere with your variables.

To think like this is naive, ignorant and foolish.

Anyone can post any values they like with any keys to any page on the web

This is an example of a security hole - you should only work with the user submitted values you need and are expecting.

This is why we put anti XSS and anti XSRF methods in place and my example code goes some way to compromising these safeguards

Comments on this post

Jacques1 agrees: You're absolutely right.

__________________
PHP OOPS! <?php Output::Render(DB::Execute(SQL::makeFrom($_GET),$_GET)->fetchArray(),Template::getInstance('default')); ?>

PDO vs mysql_* functions: Find a Migration Guide Here

[ Xeneco - T'interweb Development ] - [ Are you a Help Vampire? ] - [ Read The manual! ] - [ W3 methods - GET, POST, etc ] - [ Web Design Hell ]

November 26th, 2012, 10:11 AM

Jacques1

pollyanna

Join Date: Jul 2012

Location: Germany

Posts: 2,033

Time spent in forums: 1 Month 2 Weeks 6 Days 20 h 59 m 13 sec
Reputation Power: 812

You're right, Northie, but do note that PHP actively encourages dumping user input into variables. I mean, register_globals has more or less died out, but extract() lives on and keeps being used.

But since you don't need all this, anway, it shouldn't be a problem here.

November 26th, 2012, 12:12 PM

requinix

Still alive

Dev Shed God 16th Plane (12500 - 12999 posts)

Join Date: Mar 2007

Location: Washington, USA

Posts: 12,867

Folding Points: 417516 Folding Title: Super Ultimate Folder - Level 1

Time spent in forums: 5 Months 1 Week 5 Days 6 h 11 m 57 sec
Reputation Power: 8977

Send a message via Google Talk to requinix

Even more fun example of why $$var and extract() are bad:

Code:

<input type="hidden" name="_SESSION[username]" value="admin" />

__________________
Site rules and FAQ | Project Suggestions | mod_rewrite guide | PHP New User Guide and FAQ - PHP Stickies | Regex Resources

November 26th, 2012, 08:25 PM

zxcvbnm

A Change of Season

Join Date: Mar 2004

Posts: 1,672

Time spent in forums: 2 Weeks 5 Days 17 h 10 m 32 sec
Reputation Power: 71

Quote:

Originally Posted by Northie

To think like this is naive, ignorant and foolish.

Anyone can post any values they like with any keys to any page on the web

This is an example of a security hole - you should only work with the user submitted values you need and are expecting.

This is why we put anti XSS and anti XSRF methods in place and my example code goes some way to compromising these safeguards

Hello are you saying this is the most efficient and secure way of doing it?

PHP Code:


		
			
 $ad_suburb = $this->input->post('ad_suburb') ? $this->input->post('ad_suburb') : ""; 

$ad_address = $this->input->post('ad_address') ? $this->input->post('ad_address') : ""; 

$ad_da = $this->input->post('ad_da') ? $this->input->post('ad_da') : "";

Last edited by zxcvbnm : November 26th, 2012 at 09:05 PM.

November 26th, 2012, 11:48 PM

msteudel

Contributing User

Join Date: Sep 2002

Location: Seattle, U.S.A.

Posts: 712

Time spent in forums: 4 Days 11 h 4 m 59 sec
Reputation Power: 11

Another way to do it, maybe a tad less tedious as what you wrote out is to use a whitelist switch statement:

PHP Code:


		
			
foreach ($_POST as $key => $value) {

            switch( $key ) {

                case "ad_title":

                case "ad_suburb":

                case "ad_da":

                    $this->smarty->assign( $key, $value );

                    break;;

                default:

                    // this isnt whitelisted

                    break;

            }

        }

November 27th, 2012, 12:30 AM

Jacques1

pollyanna

Join Date: Jul 2012

Location: Germany

Posts: 2,033

Time spent in forums: 1 Month 2 Weeks 6 Days 20 h 59 m 13 sec
Reputation Power: 812

Since nobody seems to read replies anymore, let me scream it out loud:

SMARTY CAN ACCESS POST PARAMETERS (AND GET AND SERVER ...) DIRECTLY USING $smarty.post

No need for loops, switches, whatever.

Read the manual (and my replies from time to time).

#10

November 27th, 2012, 12:35 AM

zxcvbnm

A Change of Season

Join Date: Mar 2004

Posts: 1,672

Time spent in forums: 2 Weeks 5 Days 17 h 10 m 32 sec
Reputation Power: 71

Quote:

Originally Posted by Jacques1

Hello Jacques. Thank you, I read and applied your reply. I was waiting until I do more research to make sure I've got it right. So far:

Code:

<input class="input_text" type="text" name="ad_bond" value="{if isset($smarty.post.ad_bond) }{$smarty.post.ad_bond}{/if}" />

I assume the thread changed direction from it's original.
Cheers

#11

November 27th, 2012, 03:22 AM

Northie

Square Peg in a Round Hole

Join Date: Oct 2007

Location: North Yorkshire, UK

Posts: 3,439

Time spent in forums: 3 Weeks 5 Days 14 h 20 m 45 sec
Reputation Power: 3896

What is the point of trying to extract your variables into the current scope? They exist in super global scope any way.

If you really really really want to extract them into your own code somewhere then use a registry class and tag/annotate/otherwise flag the variables to say that they came from GET, POST, SERVER, COOKIE, etc.

Knowing where your variables came from is more important than you may think and is the first step in wring secure code

eg

PHP Code:


		
			
//quick, dirty and untested



class Request {



    private $store = array();

    

    private static $instance;

    

    private function __construct() {

    

    }

    

    public static function Load() {

        if(!isset(self::$instance)) {

            self::$instance = new __CLASS__;

        }

        

        return self::$instance;

    }

    



    public function set($data,$type) {

        $this->store[$type] = $data;

    }



    public function get($type,$key=false) {

        if($key) {

            return $this->store[$type][$key]

        }

    

        return $this->store[$type];

    }

}



Request::Load()->set($_GET,'GET');

Request::Load()->set($_POST,'POST');

Request::Load()->set($_SERVER,'SERVER');

Request::Load()->set($_COOKIE,'COOKIE');

Registry classes can be useful, but using them as a direct replacement for (super) global variables is discouraged

#12

November 27th, 2012, 03:47 AM

Jacques1

pollyanna

Join Date: Jul 2012

Location: Germany

Posts: 2,033

Time spent in forums: 1 Month 2 Weeks 6 Days 20 h 59 m 13 sec
Reputation Power: 812

@ zxcvbnm:

You forgot the escaping.

Apart from that, yes, that's the correct way.

Regarding the discussion about variables:

Even when it's not about values from POST, GET etc. (Northie already talked about that), I can't think of any situation where it might make sense to dynamically create loads of variables.

It's cumbersome, potentially dangerous, can easily lead to naming conflicts, is hard to manage and "pollutes" the scope -- and what's the benefit? To save a few characters?

When you have a lot of related data you need to save, just put it in an array.

Comments on this post

Northie agrees!

#13

November 27th, 2012, 08:01 AM

zxcvbnm

A Change of Season

Join Date: Mar 2004

Posts: 1,672

Time spent in forums: 2 Weeks 5 Days 17 h 10 m 32 sec
Reputation Power: 71

Fellows;

I understand there are some good reasons why it is not a good idea to have dynamic variable names, thank you.

I wonder now, if I have 40 fields, do I have to do this for each posted value?

PHP Code:


		
			
 $ad_suburb = $this->input->post('ad_suburb') ? $this->input->post('ad_suburb') : ""; 

$ad_address = $this->input->post('ad_address') ? $this->input->post('ad_address') : ""; 

$ad_da = $this->input->post('ad_da') ? $this->input->post('ad_da') : "";

.

.

.

Thanks

#14

November 27th, 2012, 08:22 AM

Jacques1

pollyanna

Join Date: Jul 2012

Location: Germany

Posts: 2,033

Time spent in forums: 1 Month 2 Weeks 6 Days 20 h 59 m 13 sec
Reputation Power: 812

Quote:

Originally Posted by zxcvbnm

I wonder now, if I have 40 fields, do I have to do this for each posted value?

Why do you even want to do that in the first place? What's the point of putting every value $this->input->post('xyz') into a variable $xyz?

Sure, the latter is 21 characters shorter. So what? If you're using a proper IDE, you have autocomplete, anyway.

So my question would be: Do you have an actual reason to put every POST value into a variable instead of simply accessing $this->input directly? Or isn't this rather a kind of bad habit?

#15

November 27th, 2012, 08:52 AM

Northie

Square Peg in a Round Hole

Join Date: Oct 2007

Location: North Yorkshire, UK

Posts: 3,439

Time spent in forums: 3 Weeks 5 Days 14 h 20 m 45 sec
Reputation Power: 3896

maybe its a good design practice for code igniter, but what's wrong with using $_POST['ad_da'] when you need it?

Or, as Jacques1 has repeatedly said, using $smarty.post.ad_da ????

How can I generate "variable names" from posted data?

Developer Shed Advertisers and Affiliates