Re: $$key = $value?
- From: ELINTPimp <smsiebe@xxxxxxxxx>
- Date: Mon, 24 Mar 2008 03:20:06 -0700 (PDT)
On Mar 24, 5:21 am, Gilles Ganault <nos...@xxxxxxxxxx> wrote:
Hello
I'm reading articles on how to validate forms, and happened on the
following section:
foreach($_POST as $key=>$value) {
$$key = $value;
}
http://www.phphacks.com/content/view/31/33/
What does "$$key=$value" do?
Thank you.
$$key is a variable variable:
http://us3.php.net/language.variables.variable
Basically what this does is sets a variable name with the key in
$__POST as the name. For example, if your $_POST superglobal looked
like:
$_POST = array ( 'firstName' => 'Steve',
'usenet'=> 'ElintPimp');
Than you run it through this function, it produces tow variables:
$fistName = 'Steve';
$usenet = 'ElintPimp';
Two problems with this function:
1) There is a function to do this - extract()
http://us3.php.net/manual/en/function.extract.php
2) Both what that foreach loop and the extract() function are
potential security problems. I'll copy what is said about this from
php.net:
"Do not use extract() on untrusted data, like user-input ($_GET, ...).
If you do, for example, if you want to run old code that relies on
register_globals temporarily, make sure you use one of the non-
overwriting extract_type values such as EXTR_SKIP and be aware that
you should extract in the same order that's defined in variables_order
within the php.ini."
Regards,
Steve
.
- Follow-Ups:
- Re: $$key = $value?
- From: Gilles Ganault
- Re: $$key = $value?
- References:
- $$key = $value?
- From: Gilles Ganault
- $$key = $value?
- Prev by Date: $$key = $value?
- Next by Date: restricting access to folders on server
- Previous by thread: $$key = $value?
- Next by thread: Re: $$key = $value?
- Index(es):
Relevant Pages
|
