dk4210 Posted March 31, 2011 Share Posted March 31, 2011 Hello guy, Just wanted to see how I could resolve this issue I have a foreach loop here that will spit out the vars. foreach (array_keys($_POST) as $key) { $$key = $_POST[$key]; print "$key is ${$key}<br />"; } echo "<br><br><br>This is the viewname" . $viewname; echo "<br><br><br>This is the price" . $price; I am trying to run the post vars through a filter (The filter name is filter($value) but I cant get it to work. I tried this foreach (array_keys($_POST) as $key) { $$key = $_POST[$key]; $$key = filter($value); print "$key is ${$key}<br />"; } echo "<br><br><br>This is the viewname" . $viewname; echo "<br><br><br>This is the price" . $price; Any ideas? Thanks, Dan Quote Link to comment Share on other sites More sharing options...
Zane Posted March 31, 2011 Share Posted March 31, 2011 $value is not defined in your foreach you need foreach($_POST as $key=>$value) Also, if you include $value in your foreach statement, then $_POST[$key] and $value are the same thing. Quote Link to comment Share on other sites More sharing options...
dk4210 Posted March 31, 2011 Author Share Posted March 31, 2011 That did the trick! Thanks alot! Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted March 31, 2011 Share Posted March 31, 2011 Variable-variables are three times slower than using an array variable. Why did you switch what you are doing, from your existing thread for this problem? Also, the code you current have exhibits the same security hole that was mentioned in your existing thread and will allow a hacker to set any of your existing variables. So, for example, if you have a variable $admin that determines if I am an administrator to your script, a hacker can set that by including a $_POST['admin'] value when he submits to your code and he can do anything that your script allows an administrator to do. You are trying to execute a filter function on the post data to make it safe, but you are opening up a security hole that is more serious than what the form data could possibly do. Quote Link to comment Share on other sites More sharing options...
dk4210 Posted March 31, 2011 Author Share Posted March 31, 2011 Ok point taken so how to I resolve it.. Here is my foreach foreach ($_POST as $key=>$value) { $$key = $_POST[$key]; $$key = filter($value); print "$key is ${$key}<br />"; } Here is my filter function function filter($data) { $data = trim(htmlentities(strip_tags($data))); if (get_magic_quotes_gpc()) $data = stripslashes($data); $data = mysql_real_escape_string($data); return $data; } How would I code it to patch the gaping security hole that you are referring to? Thanks for all your help Quote Link to comment Share on other sites More sharing options...
shlumph Posted March 31, 2011 Share Posted March 31, 2011 Here's one way to do it without using variable variables: foreach ($_POST as $key => $value) { $_POST[$key] = filter($value); print "{$key} is {$_POST[$key]}<br />"; } Quote Link to comment Share on other sites More sharing options...
dk4210 Posted March 31, 2011 Author Share Posted March 31, 2011 Hey I tried this code foreach ($_POST as $key => $value) { $_POST[$key] = filter($value); print "{$key} is {$_POST[$key]}<br />"; } But when I echo out vars it doesn't work. It did with the Like this echo "<br><br><br>This is the viewname" . $ad_title; echo "<br><br><br>This is the price" . $price; It did work with this code but had the security issue foreach (array_keys($_POST) as $key) { $$key = $_POST[$key]; $$key = filter($value); print "$key is ${$key}<br />"; } Please advise.. Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted March 31, 2011 Share Posted March 31, 2011 Someone gave two different ways of doing this, that are secure, in your first thread for this - ...you should only convert expected variables ... ... or you should insure that the variables you create have their own unique name-space so that they cannot overwrite any of your existing program variables. #1 can be accomplished by making an array of the expected index names and use that to iterate over the $_POST array. #2 can be accomplished several different ways - a) Using the $_POST['....'] variables directly in your code (after applying your filter function to them.) b) Using your $mydata['....'] variables. c) Using extract() with either the EXTR_PREFIX_ALL or the EXTR_SKIP flag. Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted March 31, 2011 Share Posted March 31, 2011 array_walk_recursive($_POST, 'filter'); extract($_POST,EXTR_SKIP); Quote Link to comment Share on other sites More sharing options...
dk4210 Posted March 31, 2011 Author Share Posted March 31, 2011 That seems to work. But I have a question here. Does EXTR_PREFIX_ALL add a prefix onto the var name? If so, would it be a good idea to append a prefix and then code a check to make sure that all vars have that prefix and if they don't error out? I was even thinking of creating a table in the db of allowed vars, so if a hacker tried to inject rouge vars, that it would catch it.. Its like a white list What are your thoughts on that? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.