Can someone explain how this works?

billyd

Excuse my dumbness, but I just don't get this bit of code. Am finding my way around php by the well-trodden route of dissecting other people's code to find out how it all works, and am sort of getting there. But this little routine, which I have come across several times, to take the names of the various form fields and turn them into php variables (i.e. so the input to form field 'foo' becomes $foo etc) - I just don't get how it works. Could someone be so kind as to explain it to me?

foreach($_POST as $thisvar => $thisval){
$thisval = $thisval;
$$thisvar = $thisval;
}

why the $thisval = $thisval?? What does that actually achieve?

and then, what is with the double $$ on the final line?

Very many thanks in advance....😕

djjjozsi

if you have a $POST superglobal:
$POST["username"]='123123123';
$_POST["password"]='1*****asdasd';

foreach($_POST as $key => $value){

	$$key = $value;
}

this litle code then make global variables from your $_POST superglobal. $$ means create a variable with the string after, in these cases $username and $password will be created. However this looks like pritty, one little trouble could happened:

$password="123";  //you can access as admin with this password

$_POST["user"]='123123123';
$_POST["pass"]='aaaaa';
/* The user then makes a form, and creates a new textfield with password as a variable name*/

foreach($_POST as $key => $value){

	$$key = $value;
}

//and woala, $password will gives new value, overwrite!

if( $password==$pass )
include("adminpanel.php");

this is bad. These is a better way to make this using the extract function:

$size = "large";
$color="red";
$var_array = array("color" => "blue",
                   "size"  => "medium",
                   "shape" => "sphere");
extract($var_array, EXTR_PREFIX_SAME, "wddx");

echo "$color, $size, $shape, $wddx_size\n";

from the php.net manual.

billyd

Hi - really appreciate your answer, many thanks - and yes, I can see what you're saying, that going with the super-global approach allows the bad guy to introduce variables into your script, possibly overwriting your own variables.

However, I absolutely couldn't follow what you then said about EXTRACT, and how that example would apply to getting the values from a form.

I am also still puzzled by the $thisval = $thisval;
line of code in the example I gave. Which I have seen used in several places. Is it necessary - does it actually achieve anything?

NogDog

The $thisval = $thisval; appears to be a redundant (and useless) piece of code, unless I'm missing something really sublime there. The $$thisvar is an example of a variable variable.

As the other reply points out, PHP has a built-in function for doing the same thing: [man]extract[/man]. PHP also has a similar function specifically for get/post/cookie inputs that emulates [man]register_globals[/man]: the [man]import_request_variables/man function.