Is this insecure ?

guischarf

Hello,

Could this --using dynamic variables to fill up a form-- have security issues ? This is an update form. A user logins to his account and gets back his data in "<form>", where he can update it.

I am checking all the data before it goes back to the BD.

<?php
$qry = "SELECT name, lastname [, ..., ...] FROM table WHERE id = 'someid' ";
$res = mysql_query($qry);

while ($row = mysql_fetch_assoc($res)):
    $records[] = $row
endwhile;

foreach ($records as $record):
   foreach($record as $key => $value)
      $thisvar = $key;
      $$thisvar = $value;
   endforeach;
endforeach;
?>

<form>
   <input name="name" value="<?php echo $name ?>">
   <input name="lastname" value="<?php echo $lastname?>">
   [...]
</form>

Tnx.

NogDog

<input name="name" value="<?php echo htmlentities($name, ENT_QUOTES); ?>">

Weedpacket

You're not relying on any user-supplied input to generate the page. More interesting would be how you process that.

Incidentally, if you only get one record, it's pointless to use a loop to do it.