Fast question? need advice

galaxyboss

Hi
Im writing a small CMS, I have fast quesiton regarding $POST $GET
im using
if(isset($GET['task']))
{
$task = $GET['task'];
}
else
{
$task = "";
}
to control a function there, its forms, many forms will be there
so am using again this method to get each var, but I am tring to find a solution, a good one
also I change the method to use :
extract($_POST); which many said not good, then I changed it to
extract($var_array, EXTR_PREFIX_SAME, "form_number");

but still need a good adive from a good php developber
what is the best solution to get $POST, $GET, ...in general globals.?

Many thanks
Samir

laserlight

Whatever you use, you still need to check if incoming variables exist, and perform some kind of validation on them.

[man]import_request_variables/man is probably better than extract() here in that you can specify a prefix so as to reduce the possibility of variable poisoning.

NogDog

The only benefit I see to import_request_variables() over extract() is that the variables it creates are in the global scope, whereas those created by extract are not. (And depending on your specific needs, this may in fact be a detriment.) Both extract() and import_request_variables() allow the assignment of a prefix to the variable name (the 3rd argument to extract()), while extract() has the added feature (via its second argument) to manage collisions with existing variables.

PS: Personally, I generally do not use either of them. I either just use the applicable $POST or $GET elements as needed, or explicitly convert them to other variables when that seems more useful.

galaxyboss

HI
thanl you both, laserlight & NogDog for nice tips,
the idea is am using class with multi function to create edit and add users from the system,
but with many parameters (all forms are POST method),
I need something to optimize teh forms, and make the class>function less and less lines...
I need to ask again about what do u think about disabled register_globals,
I saw some CMS prefer enable it, like joomla, is that safe?

NogDog

In a properly written script, register_globals is not a security issue, but it can be in certain circumstances. See http://us3.php.net/manual/en/security.globals.php for more info and examples.

In any case, it is best to write your scripts to not depend on register_globals, as all current versions of PHP 4 and 5 have it turned off by default, and there is a high probability that it will not even be an option in PHP 6.

Perhaps you could do something like:

$inputs = array(
   'name',
   'phone',
   'address1',
   'address2'
);
foreach($inputs as $input)
{
   ${$input} = (isset($_POST[$input])) ? $_POST[$input] : '';
}

At this point the variables $name, $phone, $address1, and $address2 would be defined and assigned the corresponding $_POST value if it is set.

galaxyboss

NogDog
thanks alot yes it very good solution,