Trying to turn field name variables of $_POST[] into variables this is what I have but PHP is giving me this error:

Parse error: parse error, unexpected $ in process.php on line 316

foreach($_POST as $name => $value){
$value = strip_tags($value);
$$name  = $value;
}

where $ is declaring the variable and $name next to is as the name of field comming from $_POST[]

What's a better approach to doing this?

    [man]extract/man

    Note that using the POST'd names as the variable names is a security risk; anyone can overwrite varialbes you've set in the script by doing so. A better way would be to fix your function, and prepend "post_" to the variable name, like so:

    foreach($_POST as $name => $value){ 
${'post_'.$name}  = strip_tags($value);
}

    EDIT: Woopsie.. forgot to add the 'post_' part!

      $_POST['test1'] = '<b>Hello</b>';
$_POST['test2'] = '<i>World</i>';

foreach ($_POST as $name => $value) { 
    $_POST[$name] = strip_tags($value);
}
extract($_POST, EXTR_PREFIX_ALL, 'post');

echo $post_test1 . '<br />';
echo $post_test2 . '<br />';

      Edit: Oops. Index name corrected.

        Ha. Never used extract; I always declared variables as I needed them to avoid overwriting or malicious injections. Guess I need to read the manual more 😉

          Originally posted by bradgrafelman
          [man]extract/man

          Note that using the POST'd names as the variable names is a security risk; anyone can overwrite varialbes you've set in the script by doing so.



          How is that possible?

            Well, if you are using a variable name that is only set if a certain condition is met (i.e if logged in $authenticate_user = "yes") yet you do not declare it as a variable otherwise, then all the user would have to do was prepend file.php?authenticate_user=yes and then he would have access.

            Or something similar, I believe

            Probably should get rid of extract($POST);
            extract($            GET);
            in all of my codes eh? Lol.

              No. Just use the solution that's been mentioned above, using EXTR_PREFIX_ALL in extract() to prepend a keyword to all variables.

                Also, "extract()" returns the number of variables extracted,

                [deprecated]
                so for a bit of extra checking you could do this:

                $extracted_num = extract($_POST, EXTR_PREFIX_ALL, 'post');
                if ($extracted_num != $expected_num) {
                exit('Uh oh, Beaver...');
                }
                [/deprecated]

                  Except, every time he changes the layout/form/etc. he would have to remember to reset that number in the script 🙁

                    True, but still, he would have to either remember how many in total were added/removed, or he'd have to submit a dummy form to see how many elements came through, etc. every time he changed something.

                    Realistically, it always seemed like it was easier just to prepend the POST/GET names with a keyword and just extract() em all, so I can use the oens I want in my script, and don't have to worry about any others.

                      Write a Reply...