2

I was making a form that is um... quite large and all inputs consist of the form looking like

<input type="text" id="first_name" name="first_name" />

so instead of having to do

$first_name = $_POST['first_name'];

and so on for every input, is there a way to grab every 'name' or 'id' from each input within the <form></form> and apply to a variable of the same value of the 'name' or 'id'.

I was thinking of something like a foreach statement??

Any ideas?

EDIT:

Given this little snippet of code here, how can it be use to now use the example given below?

function filter($data) {
    $data = trim(htmlentities(strip_tags($data)));

    if (get_magic_quotes_gpc())
        $data = stripslashes($data);

    $data = mysql_real_escape_string($data);

    return $data;
}

foreach($_POST as $key => $value) {
    $data[$key] = filter($value);
    echo $value . '<br />';
}
Improve this question
2
  • That's worst thing you can think of ever. Moreover, you just don't need it Commented Sep 17, 2010 at 8:18
  • I would advise against going any method where you don't know the input, and cannot control it in a sense that would keep your applications / server secure from injection. Commented Sep 17, 2010 at 12:24

2 Answers 2

Reset to default
5

This is a bad idea using extract or a foreach, it would allow someone to hijack a variable in your code.

Imagine the following

$my_user_id = 10;
extract($_POST);
// Load the user for $my_user_id using MYSQL
// Change some value of the user for $my_user_id
// Update the database for user $my_user_id

What happens when a user hacks your form and changes the value of my_user_id?

They will be able to change the values for a user other than the one you intended them to change.

You should only get the values fro $_POST that you KNOW are OK and should be there. Do not grab everything and assume it is meant to be there.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

2

Such a variable assignment is very bad idea. A malicious user can rewrite any variable in your program this way.
Never do such things.
You are right about foreach statement. But do not use it for setting variables - just use it to accomplish your script goal. Iterate $_POST and put it's values into query or mail body or whatever. No need for global scope variables

As I have said above, use foreach for the real automation.
You can use this function to produce a SET SQL statement out of array of field names and $_POST array:

function dbSet($fields) {
  $set='';
  foreach ($fields as $field) {
    if (isset($_POST[$field])) {
      $set.="`$field`='".mysql_real_escape_string($_POST[$field])."', ";
    }
  }
  return substr($set, 0, -2); 
}

$fields = explode(" ","name surname lastname address zip fax phone");
$query  = "INSERT INTO $table SET ".dbSet($fields);
Improve this answer

3 Comments

wait what you mean iterate and put into query or mail brother. My goal was just so that I can cut down my work and automate the process of adding my form to my database.
I'm not really sure whats going on there. I can see that the function takes $field and passes it into the foreach statement, but what i dont get is what $_post[$field] is suppose to be. then the explode array, what is that holding? where is the name surename lastname data being pulled from?
What the Col. explained is an automated method to take your POST variables and create a SQL query IF it is in the fields string (explode will help you define what input is allowed / matching). So your $_POST[$field] would actually be $_POST['name'].. any clearer?

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.