saiya Posted September 17, 2010 Share Posted September 17, 2010 I was making a form that is um... quite large and all inputs consist of the form looking like <input type="text" id="first_name" name="first_name" /> so instead of having to do $first_name = $_POST['first_name']; and so on for every input, is there a way to grab every 'name' or 'id' from each input within the and apply to a variable of the same value of the 'name' or 'id'. I was thinking of something like a foreach statement?? Any ideas? Link to comment Share on other sites More sharing options...
0 EmpyreanUK Posted September 17, 2010 Share Posted September 17, 2010 If I understand correctly, you want to create a variable for each of your form inputs, that is named after the ID and is assigned the value of that form element. Is that right? If so, this should do the trick: foreach($_POST as $form_name => $form_value) { $$form_name = $form_value; } Link to comment Share on other sites More sharing options...
0 saiya Posted September 17, 2010 Author Share Posted September 17, 2010 is $form_name and $form_value key variables? Link to comment Share on other sites More sharing options...
0 EmpyreanUK Posted September 17, 2010 Share Posted September 17, 2010 Nope, you could change those to whatever you fancied, as long as you used the same variable names in the foreach() argument and inside the loop. Edit: Sorry, just to clarify, by 'key variables' do you mean Superglobals? Link to comment Share on other sites More sharing options...
0 saiya Posted September 17, 2010 Author Share Posted September 17, 2010 of well I was going to say keywords but they where variables so i said key variables. just to clarify a bit more, what is the foreach function extracting? the 'name' or the 'id' value? Link to comment Share on other sites More sharing options...
0 EmpyreanUK Posted September 17, 2010 Share Posted September 17, 2010 of well I was going to say keywords but they where variables so i said key variables. just to clarify a bit more, what is the foreach function extracting? the 'name' or the 'id' value? Technically it's extracting the key of each line of the $_POST array. As far as I know (I could be wrong here) the keys are defined by the 'name' attribute. This is **** as I believe 'name' is deprecated in XHTML strict, but obviously you need it for passing the information on to PHP through the POST method. To my mind the best solution is to do exactly what you're doing, which is to set both 'name' and 'id' attributes, and to set them to the same value. This way, you're more-or-less in line with the XHTML standard, you have IDs for DOM purposes, and you're still able to pass information to PHP. Link to comment Share on other sites More sharing options...
0 C:Amie Posted September 17, 2010 Share Posted September 17, 2010 Try import_request_variables('p', 'form_'); echo $form_name, $form_id; The 'p' means the function enumerates all of the POST contents and prefixes the form widget with the string 'form_' i.e. $form_<widgetName> Link to comment Share on other sites More sharing options...
0 saiya Posted September 17, 2010 Author Share Posted September 17, 2010 just curious but will this leave me to variable hi jacking? Link to comment Share on other sites More sharing options...
0 AnthonySterling Posted September 17, 2010 Share Posted September 17, 2010 Hell. Yes. The correct way is to use extract, but this will not solve the security issues you have. What are you trying to acheive? We know what you're trying to do, but not why. ;) Using a whitelist of 'allowed' variables would be a slightly safer approach, but to be fair, you may as well just use $_POST['key'] and access them directly. <?php $allowed = array( 'email', 'username', ); foreach($_POST as $key => $value){ if(in_array($key, $allowed)){ $key = $value; } } ?> Link to comment Share on other sites More sharing options...
0 saiya Posted September 17, 2010 Author Share Posted September 17, 2010 well I would traditionally have something like this <? if(isset($_POST[''])) { $first_name = $_POST['first_name']; $last_name = $_POST['last_name']; $dob = $_POST['dob']; etc...etc... mysql_query("INSERT INTO"); } ?> but i'm trying to see if i can take on a new way to handle my form submissions... call me lazy :blush: Link to comment Share on other sites More sharing options...
0 AnthonySterling Posted September 17, 2010 Share Posted September 17, 2010 The benefits are negligible, stick to what you're doing until you have a proper reason to alter it. It's much safer. :D Just a quick tip though, to check for 'POST', use:- <?php if('POST' === $_SERVER['REQUEST_METHOD']){ #is post } ?> Link to comment Share on other sites More sharing options...
0 saiya Posted September 18, 2010 Author Share Posted September 18, 2010 I looking into the foreach method this is what i came up with function filter($data) { $data = trim(htmlentities(strip_tags($data))); if (get_magic_quotes_gpc()) $data = stripslashes($data); $data = mysql_real_escape_string($data); return $data;}foreach($_POST as $key => $value) { $data[$key] = filter($value); echo $value . '<br />';}[/CODE] would this be secure? Link to comment Share on other sites More sharing options...
0 Calculator Posted September 18, 2010 Share Posted September 18, 2010 I looking into the foreach method this is what i came up with would this be secure? It's not so much the post values which will get you into trouble, but the post keys since those may overwrite essential variables used in the rest of your code. For example, if you'd have a file called "db-connect.php": <?php $db_host = "localhost"; $db_user = "root"; $db_pass = "password"; $db_name = "mydb"; // ... ?> A malicious user could send a request to your main PHP file with a POST query: firstname=Bill&lastname=Gates&db_user=otheruser&db_pass=otherpassword With your code, this would generate the $firstname and $lastname variables but it would also overwrite the values of $db_user and $db_password and wreck the rest of your code. Of course you should sanitize your POST values, but you also need a whitelist array of the variables which are allowed to be generated from the POST data. I propose you extend upon AnthonySterling's code: <?php function filter($data) { // Strip HTML and stuff $data = htmlentities(trim(strip_tags($data))); // You really shouldn't be using magic quotes... // Best is to make sure it's disabled and add slashes when you actually need to if (get_magic_quotes_gpc()) { $data = stripslashes($data); } return $data; } // Whitelist array of allowed POST variable names $allowed = array('first_name', 'last_name', 'dob'); if('POST' === $_SERVER['REQUEST_METHOD']) { foreach($_POST as $key => $value) { // Sanitize the keys and values $key = filter($key); $value = mysql_real_escape_string( filter($value) ); // Make sure $key is allowed and won't overwrite other critical variables if(in_array($key, $allowed)) { // Note the double dollar sign for key: the value of $key is used as the name of the variable $$key = $value; } } } ?> EDIT: After having a better look at your last code, it looks like I missed that you're storing your sanitzized values in a $data variable rather than making them variables. This is secure enough, but how is this any different from just typing $_POST[$key]? You could just as easily work on the $_POST array itself instead of using a new $data variable: <?php foreach($_POST as $key => $value) { $_POST[$key] = filter($value); } ?> I just don't see the point of doing this, you're just sanitizing the whole $_POST array... I assume you want to treat different values in different ways (strings, integers, booleans,...). Link to comment Share on other sites More sharing options...
Question
saiya
I was making a form that is um... quite large and all inputs consist of the form looking like
so instead of having to do
and so on for every input, is there a way to grab every 'name' or 'id' from each input within the and apply to a variable of the same value of the 'name' or 'id'.
I was thinking of something like a foreach statement??
Any ideas?
Link to comment
Share on other sites
12 answers to this question
Recommended Posts