auto $_GET['var'] to $var

atmorell

How can I dump all $GET varaibles and their value? - for debug.(submitted from a form). Allso - Is there a way to automatic extract/set all $GET['var'] submitted from a form? I want e.g. $GET['var'] to be converted to $var without having to type $var = $GET['var'];

Best regards.
Asbjørn Morell.

atmorell

Or is the a function/command that will walk through all set $_GET variables that has been submitted by a form.

atmorell

Wow this is done so easy!! 😉 Can easy be changed to POST.

foreach ($_GET as $var => $value) {
echo "$var = $value<br>";
}

bpat1434

Woops... nevermind... I'm an idiot...

atmorell

nice 🙂
why is it bad to do this? I don't pass security stuff through get! - Allways use sessions for that.

laserlight

You can use [man]extract/man, but beware that your scripts will be susceptible to variable poisoning. There is also [man]import_request_variables/man, which should be safer when used with an appropriate prefix.

Jack_McSlay

for debugging, use either print_r() or var_dump()

when you want to set data in an array to separate variables, use extract()

atmorell

what is variable poisoning? I would GET the variables anyway?

Jack_McSlay

if I'm not mistaken, variable poisoning would be allowing user to input vars in your script by passing them through $_GET.

for example, lets say there's a script http://localhost/get.php

<?php
$var = 'foo';

extract ($_GET);

echo $var;

?>

if the user types "http://localhost/get.php" it will output "foo" but if he puts "http://localhost/get.php?var=bar" it will output "bar", which could cause security leaks on your script.

I never used import_request_variables(), but you can work around the problem extract like this:

<?php
$var = 'foo';

extract ($_GET,EXTR_PREFIX_ALL,'pr');

echo $var;

?>

this will output "foo"regardless of what is passed through GET because the "var" parameter from $_GET will be set to $pr_var, not $var. I consider this one the safest option

but you could also consider:

<?php
$var = 'foo';

extract ($_GET,EXTR_SKIP);

echo $var;

?>

this will only set the variable if it hasn't already been defined, therefore, a "var" passet through $_GET will never be ser because the variable $var already exists. but then watch out for the use of isset(). if you need to use it, or any similar functions you should first use unset() in every var that is set later in your program to make sure the user didn't try to put it already.

atmorell

Thak you for your input. I will consider this.

Best regards.
Asbjørn Morell.

Jack McSlay wrote:
if I'm not mistaken, variable poisoning would be allowing user to input vars in your script by passing them through $_GET.

for example, lets say there's a script http://localhost/get.php
<?php
$var = 'foo';

extract ($_GET);

echo $var;

?>
if the user types "http://localhost/get.php" it will output "foo" but if he puts "http://localhost/get.php?var=bar" it will output "bar", which could cause security leaks on your script.

I never used import_request_variables(), but you can work around the problem extract like this:
<?php
$var = 'foo';

extract ($_GET,EXTR_PREFIX_ALL,'pr');

echo $var;

?>
this will output "foo"regardless of what is passed through GET because the "var" parameter from $_GET will be set to $pr_var, not $var. I consider this one the safest option

but you could also consider:
<?php
$var = 'foo';

extract ($_GET,EXTR_SKIP);

echo $var;

?>
this will only set the variable if it hasn't already been defined, therefore, a "var" passet through $_GET will never be ser because the variable $var already exists. but then watch out for the use of isset(). if you need to use it, or any similar functions you should first use unset() in every var that is set later in your program to make sure the user didn't try to put it already.

visualAd

My opinion. Don't go there!! $GET and $POST are super globals and are avialable in every function, class and scope. They are more convenient and safer than global variables.

If you do want all your request variables as globals then make sure you have the latest version of PHP 4 /5 and turn on register globals, as it has safe guards which can help protect agianst variable poisoning.

Alternativly, use an array to import only the variables you wish to use:

define('SAFE_VARS', array('username', 'password')); // list of vairables names which you WILL use

function safe_extract()
{
    foreach($_REQUEST as $name => $value) { // replace with the array you want GET | POST
        if (in_array($name, SAFE_VARS)) {
            $GLOBALS[$name] = $value;
        }
    }
}