$http_get_vars and $http_post_vars

jessette58

Can anyone help me explain what these two codes do on the program...

extract($http_post_vars);
extract($http_get_vars);

I appreciate if anyone could post an example of how it can be useful.

Thanks

bpat1434

Well, it takes all the variable => value pairs in the $HTTP_POST_VARS global array and makes variables with values. Same thing with $HTTP_GET_VARS.
[man]extract/man

I.e.

<?php
$HTTP_POST_VARS = array('name' => 'jessette58', 
        'website' => 'PHP Builder', 
        'PostCount' => '1', 
        'PostTitle' => '$http_get_vars and $http_post_vars');

extract($HTTP_POST_VARS);

echo 'Name: '.$name.'<br>
    Website: '.$website.'<br>
    Post Count: '.$PostCount.'<br>
    PostTitle: '.$PostTitle;
?>

That will give you:

Name: jessette58
Website: PHP Builder
Post Count: 1
PostTitle: $http_get_vars and $http_post_vars

~Brett

jessette58

Thank you very much 🙂

I have a sample program that I'm studying and here's the code

<?php
extract($HTTP_GET_VARS);
extract($HTTP_POST_VARS);
?>
<HTML><HEAD><TITLE>E-Dating System Administration Panel</TITLE>
<META content="MSHTML 6.00.2479.6" name=GENERATOR>
<LINK
href="style.css"
type=text/css rel=stylesheet>
</HEAD>

Can you tell me why it started with $http_get_vars) and $http_post_vars?

bpat1434

It starts that way so that all the get & post variables, are then local and easier to call.

The script also probably uses the variables later on...

~Brett

jessette58

Thanks a lot for all the help Brett

ClarkF1

$HTTP_GET_VARS and $HTTP_POST_VARS are deprecated and have been replaced by the superglobals $GET and $POST respectively.

You should be using those instead. The extract function will still work on them.

scrupul0us

you should never use extract on those superglobals:

php.net wrote:
Do not use extract() on untrusted data, like user-input ($_GET, ...). If you do, for example, if you want to run old code that relies on register_globals temporarily, make sure you use one of the non-overwriting extract_type values such as EXTR_SKIP and be aware that you should extract in the same order that's defined in variables_order within the php.ini.

NogDog

It can be made relatively save if you use the additional parameters in any of number of ways, in order to ensure there are no collisions with other variables in your script.

<?php
extract($_POST, EXTR_PREFIX_ALL, 'POST');
?>

Then all your POST variables will be named in the format $POST_varname which should be safe, assuming you don't use that prefix for any other variables.

Alternatively, you can define what the possible variables can be, and use the EXTR_IF_EXISTS arg (but make sure this is done before any other variables are defined!):

<?php
// start of script
// define allowed variables from POST:
$varname1 = NULL;
$varname2 = NULL;
extract($_POST, EXTR_IF_EXISTS);
// will only extract $_POST['varname1'] and $_POST['varname2']
//

Personally, I find it just as easy to reference the values directly from the applicable super-global array, even if it means using curly braces, string concatenation, or whatever. It also has the added benefit of making it immediately obvious what the source of that variable is, which can be useful when you go to modify the code 6 months later.