Correct way to update code

Posted: Wed Jun 02, 2010 7:48 pm

I need to update the following code and would like the pro's opinions on the best way.... Smile

Code:

if($HTTP_POST_VARS) {


   foreach($HTTP_POST_VARS as $Key=>$Value) {


      $$Key = $Value;


   }


}





if($HTTP_COOKIE_VARS) {


   foreach($HTTP_COOKIE_VARS as $Key=>$Value) {


      $$Key = $Value;


   }


}





if($HTTP_GET_VARS) {


   foreach($HTTP_GET_VARS as $Key=>$Value) {


      $$Key = $Value;


   }


}





if($HTTP_SERVER_VARS) {


   foreach($HTTP_SERVER_VARS as $Key=>$Value) {


      $$Key = $Value;


   }


}





if($HTTP_ENV_VARS) {


   foreach($HTTP_ENV_VARS as $Key=>$Value) {


      $$Key = $Value;


   }


}

Should it be the following:

Code:

if(isset($_POST))   foreach($_POST   as $Key=>$Value) $$Key = $Value;

or should it be:

Code:

if($_POST)   foreach($_POST   as $Key=>$value) $$Key = $Value;

I only picked one out of the list and will change all to the correct style. Thank you..... Smile

Posted: Wed Jun 02, 2010 8:17 pm

I think $_POST is inherently set so you don't have to do an if statement at all. Just do the foreach loop.

Posted: Thu Jun 03, 2010 4:00 am

humm, will give that a go.....thanks Palbin.... Smile

Posted: Thu Jun 03, 2010 1:57 pm

If a form field is a checkbox and it is not filled out, no POST data is available for it to the receiving program. I don't know if this means that $_POST will not be set if the only field on the form was a checkbox. It would be worth verifying.

More to the point however, while the foreach loop can be very useful as diagnostic tool in developing a program to validate form input because you can see exactly what form fields are getting set and what they are set with, by the time you are ready to move into "production" you should be explicitly testing each form field and validating it for containing only the data it should contain. I'd say something like:

Code:




[if (isset($_POST['field1'])) {


  validate it


}

for each field. The validate it part should be the narrowest possible definition of the field. So, for instance, if it's an integer field you should validate for that. If it's supposed to be an integer between 1 and 100 validate for that. If it's text but html is not allowed validate that.

If there is anything showing up in your $_POST data that isn't from a legitimate field on your form you can be pretty sure someone has hacked your form (though our CSRF does a good job of preventing that). Likewise, if you have a text field on your form and it is not coming over as $_POST data you know that something has gone amiss with the form.

Posted: Mon Jun 07, 2010 4:19 pm

I personally would use the following:

Code:




if(isset($_POST) AND (count($_POST) > 0)){


  extract($_POST, EXTR_PREFIX_ALL, "post");


  unset($_POST);


}

if you're wondering why I put the option to prefix everything, it's simple, stop it from overwriting existing variables.