• 0

pass each 'name' value form inputs into dynamically created variabl


Question

I was making a form that is um... quite large and all inputs consist of the form looking like

<input type="text" id="first_name" name="first_name" />

so instead of having to do

$first_name = $_POST['first_name'];

and so on for every input, is there a way to grab every 'name' or 'id' from each input within the and apply to a variable of the same value of the 'name' or 'id'.

I was thinking of something like a foreach statement??

Any ideas?

Link to comment
Share on other sites

12 answers to this question

Recommended Posts

  • 0

If I understand correctly, you want to create a variable for each of your form inputs, that is named after the ID and is assigned the value of that form element. Is that right? If so, this should do the trick:

foreach($_POST as $form_name => $form_value) {
$$form_name = $form_value;
}

Link to comment
Share on other sites

  • 0

of well I was going to say keywords but they where variables so i said key variables.

just to clarify a bit more, what is the foreach function extracting? the 'name' or the 'id' value?

Link to comment
Share on other sites

  • 0

of well I was going to say keywords but they where variables so i said key variables.

just to clarify a bit more, what is the foreach function extracting? the 'name' or the 'id' value?

Technically it's extracting the key of each line of the $_POST array. As far as I know (I could be wrong here) the keys are defined by the 'name' attribute. This is **** as I believe 'name' is deprecated in XHTML strict, but obviously you need it for passing the information on to PHP through the POST method. To my mind the best solution is to do exactly what you're doing, which is to set both 'name' and 'id' attributes, and to set them to the same value. This way, you're more-or-less in line with the XHTML standard, you have IDs for DOM purposes, and you're still able to pass information to PHP.

Link to comment
Share on other sites

  • 0

Try

import_request_variables('p', 'form_');

echo $form_name, $form_id;

The 'p' means the function enumerates all of the POST contents and prefixes the form widget with the string 'form_' i.e.

$form_<widgetName>

Link to comment
Share on other sites

  • 0

Hell. Yes.

The correct way is to use extract, but this will not solve the security issues you have.

What are you trying to acheive? We know what you're trying to do, but not why. ;)

Using a whitelist of 'allowed' variables would be a slightly safer approach, but to be fair, you may as well just use $_POST['key'] and access them directly.

&lt;?php
$allowed = array(
 'email',
 'username',
);

foreach($_POST as $key =&gt; $value){
 if(in_array($key, $allowed)){
	$key = $value;
 }
}
?&gt;

Link to comment
Share on other sites

  • 0

well I would traditionally have something like this

&lt;?
if(isset($_POST[''])) {
 	$first_name = $_POST['first_name'];
 	$last_name = $_POST['last_name'];
 	$dob = $_POST['dob'];
 	etc...etc...

 	mysql_query("INSERT INTO");
}
?&gt;

but i'm trying to see if i can take on a new way to handle my form submissions... call me lazy :blush:

Link to comment
Share on other sites

  • 0

The benefits are negligible, stick to what you're doing until you have a proper reason to alter it. It's much safer. :D

Just a quick tip though, to check for 'POST', use:-

&lt;?php
if('POST' === $_SERVER['REQUEST_METHOD']){
 #is post
}
?&gt;

Link to comment
Share on other sites

  • 0

I looking into the foreach method this is what i came up with

function filter($data) {
$data = trim(htmlentities(strip_tags($data)));

if (get_magic_quotes_gpc())
$data = stripslashes($data);

$data = mysql_real_escape_string($data);

return $data;
}

foreach($_POST as $key => $value) {
$data[$key] = filter($value);
echo $value . '<br />';
}[/CODE]

would this be secure?

Link to comment
Share on other sites

  • 0

I looking into the foreach method this is what i came up with

would this be secure?

It's not so much the post values which will get you into trouble, but the post keys since those may overwrite essential variables used in the rest of your code.

For example, if you'd have a file called "db-connect.php":

&lt;?php
$db_host = "localhost";
$db_user = "root";
$db_pass = "password";
$db_name = "mydb";

// ...
?&gt;

A malicious user could send a request to your main PHP file with a POST query:

firstname=Bill&amp;lastname=Gates&amp;db_user=otheruser&amp;db_pass=otherpassword

With your code, this would generate the $firstname and $lastname variables but it would also overwrite the values of $db_user and $db_password and wreck the rest of your code.

Of course you should sanitize your POST values, but you also need a whitelist array of the variables which are allowed to be generated from the POST data. I propose you extend upon AnthonySterling's code:

&lt;?php
function filter($data) {
    // Strip HTML and stuff
    $data = htmlentities(trim(strip_tags($data)));

    // You really shouldn't be using magic quotes...
    // Best is to make sure it's disabled and add slashes when you actually need to
    if (get_magic_quotes_gpc()) {
        $data = stripslashes($data);
    }

    return $data;
}

// Whitelist array of allowed POST variable names
$allowed = array('first_name', 'last_name', 'dob');

if('POST' === $_SERVER['REQUEST_METHOD']) {
    foreach($_POST as $key =&gt; $value) {
        // Sanitize the keys and values
        $key = filter($key);
        $value = mysql_real_escape_string( filter($value) );
        // Make sure $key is allowed and won't overwrite other critical variables
        if(in_array($key, $allowed)) {
            // Note the double dollar sign for key: the value of $key is used as the name of the variable
            $$key = $value; 
        }
    }
}
?&gt;

EDIT: After having a better look at your last code, it looks like I missed that you're storing your sanitzized values in a $data variable rather than making them variables. This is secure enough, but how is this any different from just typing $_POST[$key]? You could just as easily work on the $_POST array itself instead of using a new $data variable:

&lt;?php
foreach($_POST as $key =&gt; $value) {
        $_POST[$key] = filter($value);
}
?&gt;

I just don't see the point of doing this, you're just sanitizing the whole $_POST array... I assume you want to treat different values in different ways (strings, integers, booleans,...).

Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.