I’ve created the following function to dynamically create variables and sanitize the data for my database. I’d like to use this for several forms on my website however I’m having issues using this function in a require() file but it will work in the local files themselves.
foreach($_POST as $key=>$value) {
$value = trim(mysql_real_escape_string($value));
$$key = $value;
}
Is it because the $_POST values aren’t being posted to that specific file? Any help would be appreciated.
Where is the file you’re requiring? Is it on your own server?
BTW, extracting your variables like this is a bad idea.
Imagine you use a variable called $is_admin to check if a user is logged in as an admin, and I pass is_admin=1 in the _POST? Then I’m automatically an admin for your site/ app! :o
If you created a function then maybe you better show us the rest of it.
If you are semi-automating the escaping and trimming of POST values then you should ideally only be actioning those which appear in a white-list - and you drop everything else - which would address Immerses point.
eg something like
$permitted = array('name', 'email');
if( in_array($key, $permitted) ){
//do stuff
}
Sorry, it was a late night and I wasn’t thinking. Now that I look at it again I’m guessing it’s a scope issue because I didn’t even pass anything I just assumed that since the file was included it would have access to the same global variables as the page.
function sanitize() {
foreach($_POST as $key=>$value) {
$value = trim(mysql_real_escape_string($value));
$$key = $value;
}
}
In regards to Immerse’s point, is there really a need to only trim and escape the safe values when that’s all that’s being done to them in the function? I still access the variables independently for validation afterwards but figured this would be a better way of cutting down on code for a long form rather than doing it for each form field independently.
So instead of doing
$email = trim(mysql_real_escape_string($_POST['email']));
for each field I can do it all at once. But I still check the values against regular expressions, etc. afterwards by calling the dynamically created variables $email, $fname, $lname, etc.
I understand the concern but I apologize if I’m not understanding how the risk would apply.
heres one way to kind of automate it and cover yourself by dropping stuff you don’t want, submit buttons and the like.
$permitted = array('name', 'email');
$_POST = array(
'email'=>'e@mail.com ',
'name'=>' Emile',
'is_admin'=>'1',
);
function prepForMysql($input, $permitted){
$output = array();
foreach( $input as $key=>$value){
if( in_array($key, $permitted) ){
$output[$key] = trim($value);
}
}
return $output;
}
$trimmed_and_escaped = prepForMysql($_POST, $permitted);
print_r($trimmed_and_escaped);
//gives
//Array (
//[email] => e@mail.com
//[name] => Emile )
(add real_escape_string back in yourself, I don’t have mysql_* extensions installed)
It is not infrequent to see this array then being passed to some kind of sql query-builder to further automate the process. At some point you’d want to run the keys against a white list.
When you get to this stage though, you’d really want to investigate switching to mysqli or PDO and their “prepared statements” which present a more formal escaping method which you are less likely to forget to do.