Hello Everyone,

So I'm trying to develop and API and I don't want to have to go
through the $variable = stripslashes($_POST['postvar']) thing. My
thought is to dynamically create my variables based on whatever names
might come in. So I'm trying to do it this way but it just doesn't
look right (and my variables aren't being created it seems.

Here's the code:

foreach($_POST as $key=>$value){
    $key = stripslashes($_POST[$kwy]);
}

Now, what I HOPE would happen is that if $_POST['FirstName'] was sent
in, a variable named $firstname would be created. But I'm a bit
worried because I am using the $key in both the dynamic variable name
AND the POST array.

What is the best way to do what I'm wanting to do?

Thanks!
Anthony

Anthony Papillion wrote:

> Hello Everyone,
> 
> So I'm trying to develop and API and I don't want to have to go
> through the $variable = stripslashes($_POST['postvar']) thing. My
> thought is to dynamically create my variables based on whatever names
> might come in. So I'm trying to do it this way but it just doesn't
> look right (and my variables aren't being created it seems.
> 
> Here's the code:
> 
> foreach($_POST as $key=>$value){
>     $key = stripslashes($_POST[$kwy]);
> }
> 
> Now, what I HOPE would happen is that if $_POST['FirstName'] was sent
> in, a variable named $firstname would be created. But I'm a bit
> worried because I am using the $key in both the dynamic variable name
> AND the POST array.
> 
> What is the best way to do what I'm wanting to do?

I hope you don’t code as you type ;-) but from the nature of your question I 
deduct that your code doesn’t work. That’s because it should rather be like:

foreach( $_POST as $key=>$value )
	$$key = stripslashes($value);

Note the double-$$, which in this case creates a variable by the name of 
whatever is in $key. Also you don’t need to reference $_POST again. The 
value is right there in, well, $value.
-- 
Gruß | Greetings | Qapla'
Mäuse trinken keinen Alkohol, sie haben Angst vor dem Kater.

> I hope you don=92t code as you type ;-) but from the nature of your quest=
ion I
> deduct that your code doesn=92t work. That=92s because it should rather b=
e like:
>
> foreach( $_POST as $key=3D>$value )
> =A0 =A0 =A0 =A0 $$key =3D stripslashes($value);
>
> Note the double-$$, which in this case creates a variable by the name of
> whatever is in $key. Also you don=92t need to reference $_POST again. The
> value is right there in, well, $value.
> --
> Gru=DF | Greetings | Qapla'
> M=E4use trinken keinen Alkohol, sie haben Angst vor dem Kater.

Ouch, I have to say that hurts. Ok, not really but I had to say it.
lol
Thank you for the help. Much appreciated!

Anthony

On Mar 4, 7:49=A0am, Anthony Papillion <papill...@gmail.com> wrote:
> Hello Everyone,
>
> So I'm trying to develop and API and I don't want to have to go
> through the $variable =3D stripslashes($_POST['postvar']) thing. My
> thought is to dynamically create my variables based on whatever names
> might come in. So I'm trying to do it this way but it just doesn't
> look right (and my variables aren't being created it seems.
>
> Here's the code:
>
> foreach($_POST as $key=3D>$value){
> =A0 =A0 $key =3D stripslashes($_POST[$kwy]);
>
> }
>
> Now, what I HOPE would happen is that if $_POST['FirstName'] was sent
> in, a variable named $firstname would be created. But I'm a bit
> worried because I am using the $key in both the dynamic variable name
> AND the POST array.
>
> What is the best way to do what I'm wanting to do?
>
> Thanks!
> Anthony

As Frank answered, you can use "variable variables" (http://
www.php.net/manual/en/language.variables.variable.php), but that's a
bad practice (IMHO).


Here is example (dummy example, but you can see potential problems
with that approach):


$is_admin =3D isAdmin($current_user);

// let's say current user isn't admin, so $is_admin is "false"


....


// somewhere in the code you do this:

foreach( $_POST as $key=3D>$value )
        $$key =3D stripslashes($value);

// now, non admin makes a post request with name 'is_admin' and value
1 ($_POST['is_admin'] is 1)

if ($is_admin) {
      //go to administration
}


By this approach, you would override variable "$is_admin" with newly
created "variable variable" and would get unexpected result.

Ivan S wrote:

> As Frank answered, you can use "variable variables" (http://
> www.php.net/manual/en/language.variables.variable.php), but that's a
> bad practice (IMHO).
> 
> Here is example (dummy example, but you can see potential problems
> with that approach):
> 
> $is_admin = isAdmin($current_user);
> 
> // let's say current user isn't admin, so $is_admin is "false"
> 
> ...
> 
> // somewhere in the code you do this:
> 
> foreach( $_POST as $key=>$value )
>         $$key = stripslashes($value);
> 
> // now, non admin makes a post request with name 'is_admin' and value
> 1 ($_POST['is_admin'] is 1)
> 
> if ($is_admin) {
>       //go to administration
> }
> 
> 
> By this approach, you would override variable "$is_admin" with newly
> created "variable variable" and would get unexpected result.

Hmm well in that change it to

if (isset($$key))
	echo "Variable \$$key already taken!<br>";
else $$key=$value;

But first, you said IMHO, and secondly _I_ put that foreach at the top of my 
scripts. ;-)
-- 
Gruß | Greetings | Qapla'
In der Jugend waren alle Glieder gelenkig bis auf eins.
Jetzt sind alle steif bis auf eins.

Anthony Papillion wrote:
> Hello Everyone,
> 
> So I'm trying to develop and API and I don't want to have to go
> through the $variable = stripslashes($_POST['postvar']) thing. My
> thought is to dynamically create my variables based on whatever names
> might come in. So I'm trying to do it this way but it just doesn't
> look right (and my variables aren't being created it seems.
> 
> Here's the code:
> 
> foreach($_POST as $key=>$value){
>     $key = stripslashes($_POST[$kwy]);
> }
> 
> Now, what I HOPE would happen is that if $_POST['FirstName'] was sent
> in, a variable named $firstname would be created. But I'm a bit
> worried because I am using the $key in both the dynamic variable name
> AND the POST array.
> 
> What is the best way to do what I'm wanting to do?
> 
> Thanks!
> Anthony

Others have told you how to do it - I'll just mention this is a huge 
security exposure.  It's not much different from the effects of 
register_globals and will allow a hacker to define any variable in your 
system.  This potentially allows the hacker to do things like fake admin 
access to your system, which is why register_globals has been removed 
from PHP 6.

Also, you don't need stripslashes() unless magic_quotes_gpc is enabled; 
the default for this has been disabled for several years now, and this 
option has also been removed in PHP 6.


-- 
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

El 04/03/2010 7:49, Anthony Papillion escribi�/wrote:
> So I'm trying to develop and API and I don't want to have to go
> through the $variable = stripslashes($_POST['postvar']) thing. My
> thought is to dynamically create my variables based on whatever names
> might come in. So I'm trying to do it this way but it just doesn't
> look right (and my variables aren't being created it seems.
>
> Here's the code:
>
> foreach($_POST as $key=>$value){
>      $key = stripslashes($_POST[$kwy]);
> }
>
> Now, what I HOPE would happen is that if $_POST['FirstName'] was sent
> in, a variable named $firstname would be created. But I'm a bit
> worried because I am using the $key in both the dynamic variable name
> AND the POST array.
>
> What is the best way to do what I'm wanting to do?

That approach was already attempted in core PHP:

http://php.net/manual/en/security.globals.php

At first it looked like a good idea. It was not:

- It was the source of endless hacked servers
- It made coding more difficult

What's your exact need? stripslashes() is basically a useless function: 
you can't use it to escape HTML and you can't use it to escape DB input.


-- 
-- http://alvaro.es - �lvaro G. Vicario - Burgos, Spain
-- Mi sitio sobre programaci�n web: http://borrame.com
-- Mi web de humor satinado: http://www.demogracia.com
--

On Mar 4, 11:22=A0am, Frank Steinmetzger <War...@gmx.de> wrote:
> Hmm well in that change it to
>
> if (isset($$key))
> =A0 =A0 =A0 =A0 echo "Variable \$$key already taken!<br>";
> else $$key=3D$value;

You have solved one problem, but generated another. If there is, for
example, variable $a before this code, you won't be able to use user
submitted value from input element that has "a" name attribute ~
$_POST['a'] (which can be legal post data).

You have wrote some kind of error handling. Right?
But that is not necessary if you use array to store data.

This could be possible solution:

$form_elements =3D array('username', 'password', 'email');

$submited_data =3D array();

foreach ($form_elements as $form_element) {
    // you should validate input here (I haven't)
    $submited_data[$form_element] =3D isset($_POST[$form_element]) ?
$_POST[$form_element] : '';
}

Now you have validated submitted data and you know that is exactly
what you want and what you need. There is no need to depend on user
submitted data (or should I say ... hacker submitted data :) ).

> But first, you said IMHO, and secondly _I_ put that foreach at the top of=
 my
> scripts. ;-)

It doesn't matter where you put it. That's not the point. The point is
that you can't track what will become variable (with what value), and
that could lead to various side effects in other scripts which are
hard to debug.

I think it's better to avoid that practice in first place.

I generally do this and avoid writing back to $_POST array.
foreach ($_POST as $key->$value)
{
  $post[$key] =3D trim(strip_tags(html_entity_decode($value,
ENT_QUOTES)));
}
After this point I stop using the $_POST array and use $post instead,
I believe this combined with a small amount of care when referencing
stuff in the $post array circumvents the issues raised in this thread.

On Mar 4, 6:34=A0am, Ivan S <ivan.sku...@gmail.com> wrote:
> On Mar 4, 11:22=A0am, Frank Steinmetzger <War...@gmx.de> wrote:
>
> > Hmm well in that change it to
>
> > if (isset($$key))
> > =A0 =A0 =A0 =A0 echo "Variable \$$key already taken!<br>";
> > else $$key=3D$value;
>
> You have solved one problem, but generated another. If there is, for
> example, variable $a before this code, you won't be able to use user
> submitted value from input element that has "a" name attribute ~
> $_POST['a'] (which can be legal post data).
>
> You have wrote some kind of error handling. Right?
> But that is not necessary if you use array to store data.
>
> This could be possible solution:
>
> $form_elements =3D array('username', 'password', 'email');
>
> $submited_data =3D array();
>
> foreach ($form_elements as $form_element) {
> =A0 =A0 // you should validate input here (I haven't)
> =A0 =A0 $submited_data[$form_element] =3D isset($_POST[$form_element]) ?
> $_POST[$form_element] : '';
>
> }
>
> Now you have validated submitted data and you know that is exactly
> what you want and what you need. There is no need to depend on user
> submitted data (or should I say ... hacker submitted data :) ).
>
> > But first, you said IMHO, and secondly _I_ put that foreach at the top =
of my
> > scripts. ;-)
>
> It doesn't matter where you put it. That's not the point. The point is
> that you can't track what will become variable (with what value), and
> that could lead to various side effects in other scripts which are
> hard to debug.
>
> I think it's better to avoid that practice in first place.

..oO(Eric Wilson)

>I generally do this and avoid writing back to $_POST array.
>foreach ($_POST as $key->$value)
>{
>  $post[$key] = trim(strip_tags(html_entity_decode($value,
>ENT_QUOTES)));
>}

Why strip_tags()? Why manipulate the input at all? More important is to
properly handle the _output_ and the data transferred to databases.

Micha

On Mar 4, 4:02=A0pm, Michael Fesser <neti...@gmx.de> wrote:
> .oO(Eric Wilson)
>
> >I generally do this and avoid writing back to $_POST array.
> >foreach ($_POST as $key->$value)
> >{
> > =A0$post[$key] =3D trim(strip_tags(html_entity_decode($value,
> >ENT_QUOTES)));
> >}
>
> Why strip_tags()? Why manipulate the input at all? More important is to
> properly handle the _output_ and the data transferred to databases.
>
> Micha

You could take it out, for most of my apps I do not want html tags in
my data, I prefer to remove them and treat the result as my raw data.
When I do have a field that will contain tags (like when I want to use
tinyMCE or something) then I allow an exception for that field.  What
I posted originally is just a simplified version of what I use on my
webapps that just covers the initial sanitization of my post data.
What I actually use is more like this (allows for html arrays and what
not):

$post =3D array_merge($post, sanitize_user_input($_POST));
$save =3D escape_mysql($post);  //made safe for mysql ex: "INSERT INTO
table_name (field_name) VALUES ('".$save['field_name']."')"
$html_safe =3D sanitize_user_output($post);


//sanitize form post data, if some tags need to be allowed (like for
tinyMCE) then provide those input names in the $text_areas argument
function sanitize_user_input($value, $count=3D3, $text_areas=3D"")
{
	$count-=3D 1;
	if (!is_array($text_areas))
	{
		$text_areas =3D array($text_areas);
	}
	if (is_array($value))
	{
		foreach($value as $k =3D> $v) {
			if (is_array($v)) {
				if ($count <=3D 0) $value[$k] =3D sanitize_user_input($v, $count);
			} else {
				if (!in_array($k,$text_areas))
				{
					$value[$k] =3D trim(strip_tags(html_entity_decode($v,
ENT_QUOTES)));
				} else {
					$value[$k] =3D trim(strip_tags(html_entity_decode($v,
ENT_QUOTES),"<p><font><span><a><strong><em><br><ol><ul><li><table><td><tr>"=
));
				}
			}
		}
	} else {
		$value =3D trim(strip_tags(html_entity_decode($value, ENT_QUOTES)));
	}
	return $value;
}
//escape data for use in mysql insert or update
function escape_mysql($value, $count=3D3)
{
	$count-=3D 1;
	foreach($value as $k =3D> $v) {
		if (is_array($v)) {
			if ($count <=3D 0) $value[$k] =3D escape_mysql($v, $count);
		} else {
			$value[$k] =3D mysql_real_escape_string($v);
		}
	}
	return $value;
}
//sanitize data for echoing back out as HTML (htmlentities and such)
function sanitize_user_output($value, $count=3D3)
{
	$count-=3D 1;
	foreach($value as $k =3D> $v) {
		if (is_array($v)) {
			if ($count <=3D 0) $value[$k] =3D sanitize_user_output($v, $count);
		} else {
			$value[$k] =3D htmlentities(stripslashes($v), ENT_QUOTES);
		}
	}
	return $value;
}

El 04/03/2010 21:31, Eric Wilson escribi�/wrote:
> I generally do this and avoid writing back to $_POST array.
> foreach ($_POST as $key->$value)
> {
>    $post[$key] = trim(strip_tags(html_entity_decode($value,
> ENT_QUOTES)));
> }

strip_tags() to all by default?

Yes, I find it often when I surf the web. I read a blog entry and I want 
to write a comment. I type some text in a textarea that asks for plain 
text. I hit "Post" and, voil�, there's my comment all mangled thanks to 
a combination of paranoia and misinformation.

strip_tags() has absolutely no use in anything that is not HTML and, 
even in that case, there're really very little situations where it can 
be useful (for instance, generate a plain text summary of an HTML 
document); if you want to inject non-trusted HTML right into your site 
you'd better implement a real HTML parser with a white list approach.

You don't remove special chars: you _escape_ them in order to make them 
literals. Just go figure if you could not store Patrick O'Brian in a 
book database...


-- 
-- http://alvaro.es - �lvaro G. Vicario - Burgos, Spain
-- Mi sitio sobre programaci�n web: http://borrame.com
-- Mi web de humor satinado: http://www.demogracia.com
--

On Mar 5, 3:00=A0am, "=C1lvaro G. Vicario"
<alvaro.NOSPAMTH...@demogracia.com.invalid> wrote:
> El 04/03/2010 21:31, Eric Wilson escribi=F3/wrote:
>
> > I generally do this and avoid writing back to $_POST array.
> > foreach ($_POST as $key->$value)
> > {
> > =A0 =A0$post[$key] =3D trim(strip_tags(html_entity_decode($value,
> > ENT_QUOTES)));
> > }
>
> strip_tags() to all by default?
>
> Yes, I find it often when I surf the web. I read a blog entry and I want
> to write a comment. I type some text in a textarea that asks for plain
> text. I hit "Post" and, voil=E1, there's my comment all mangled thanks to
> a combination of paranoia and misinformation.
>
> strip_tags() has absolutely no use in anything that is not HTML and,
> even in that case, there're really very little situations where it can
> be useful (for instance, generate a plain text summary of an HTML
> document); if you want to inject non-trusted HTML right into your site
> you'd better implement a real HTML parser with a white list approach.
>
> You don't remove special chars: you _escape_ them in order to make them
> literals. Just go figure if you could not store Patrick O'Brian in a
> book database...
>
> --
> --http://alvaro.es- =C1lvaro G. Vicario - Burgos, Spain
> -- Mi sitio sobre programaci=F3n web:http://borrame.com
> -- Mi web de humor satinado:http://www.demogracia.com
> --

To each his own, I personally find strip_tags very useful but then
again I am not creating public forum or wiki applications where text
needs to be marked up.  Most of my users are carelessly pasting crap
into my form from word and strip_tags actually helps clean it up.  The
biggest drawback of strip_tags is when using it with exceptions as it
blindly allows everything in your allow list (including javascript
events).  In my case, where all users are employees and need to
authenticate to access the applications stored on our secure intranet,
I have decided that strip_tags (with all of it's weaknesses) is
sufficient and helpful.

I have no issues storing quotes in the database, mysql_real_escape
handles that well, I absolutely do not want my htmlentities encoded in
the database either.  The only time I want htmlentities encoded is
when I am displaying output to the user.  I have no clue how you came
to the conclusion that I was removing special characters, I am not,
they are decoded in my logic block and database and encoded when
displayed in the html.