[PHP] Extracting Key and Data from $_POST and making them variables

[Olemus]

Hey guys.

I'm trying to take the key from $_POST and turn it into a variable with the data assigned so a shorter way of doing this:

$_POST['username'] = $username;
$_POST['password'] = $password;

and so on.

I've tried a simple foreach loop without much success

  foreach($_POST as $key=>$value){
            if (function_exists("mysql_real_escape_string")){
                if (get_magic_quotes_gpc()){
                  $key = stripslashes($value);
                }
                $key = mysql_escape_string($value);
            }
           print_r($key);
     }

but this doesn't quite work how I thought it would :<

Whilst it does escape the data I can't then grab the individual key I want. This is probably a stupidly simple thing I'm missing but I can't get it :<

I want to use this to clean up data before its entered into the mySQL database any ideas?

[HeyRatFans]

Are you trying to replicate the PHP4 register_globals functionality, except only with $_POST?

Something like this should do what you want. It uses a simple foreach loop and variable variables:

foreach ($_POST as $key => $value) {
    $$key = $value;
}

BUT, I highly recommend you DON'T to this.

Instead, test for the variables you want to exist in the request, validate them, escape them and use them in your query / output. DON'T blindly accept any and all variables and especially don't turn them into new variables like this. It might seem easier this way, but you're potentially opening up a huge can of worms for yourself if you do. Even if your SQL queries are safe, there are many other things they can done to cause problems for your script. For example you might have some otherwise inert HTML stored in a variable called $html which could be replace with something of my choosing, or your database connection resource as $db, which could be replaced with something else and cause your query to fail. They might not seem too impressive, but they might help to reveal further attack vectors which could be used to compromise your script or they might be used to infect your visitors or your site.

[Olemus]

Thanks for the help. I think I'll take your advice and stay away from it. :)

[ZakO]

PHP has a built in extract function which does that; http://uk3.php.net/extract but like it mentions on the page (and mentioned here) I wouldn't recommend using it on $_POST/$_GET.

Edit: ah sorry didn't see you wanted it to automatically escape the variables, extract wouldn't fit your needs anyway then :p

[Andrew Lyle Global Moderator]

$username = $_POST['username'];
$password = $_POST['password'];

is actually the correct way of doing this. You also aren't escaping the variables, so it could lead to problems, and you aren't encrypting the password, another big no no.

[AnthonySterling]

<?php
$whitelist = array(
  'username',
  'password'
);

foreach($_POST as $key => $value){
  if(in_array($value, $whitelist)){
    $$key = mysql_real_escape_string(
      get_magic_quotes_gpc() ? stripslashes($value) : $value
    );
  }
}

[Olemus]

$username = $_POST['username'];
$password = $_POST['password'];

is actually the correct way of doing this. You also aren't escaping the variables, so it could lead to problems, and you aren't encrypting the password, another big no no.

I wasn't escaping them in that part, I shouldn't have put that as my example :p. That was just to help show what I wanted from the foreach loop. The escaping data would have been part of the foreach but it wasn't the question. Sorry for the confusion :(

And yeah I put them the wrong way round :( I was kind of in a hurry :(

Don't worry I am escaping and hashing passwords :D

[Calculator]

A similar question was recently posted here, have a quick look at this thread about the security concerns and possible solutions.

Here's a possible solution using array functions on $_POST to produce a filtered array which is then extracted. (Note: code not thoroughly tested)

<?php

// White list of allowed fields.
$allowed = array( 'username', 'password' );
// Make an array with these fields as keys, all values are null.
$allowed_keys = array_combine( $allowed, null );

// Compute the intersection based on the array keys
// of the unfiltered $_POST with the white list.
// The result is a filtered array which should be safe to extract.
// Note that $_POST is passed as the first parameter, as this array
// should be used for the values. (see PHP documentation)
$filtered = array_intersect_key( $_POST, $allowed_keys );

// Before extracting, we can escape all values in the array.
$filtered = array_map( "mysql_real_escape_string", $filtered );

// If an allowed field was not passed through POST, it won't
// be in the filtered array and the accompanying variable would
// not be set when extracting. We can assign nulls to all unset
// fields by merging the filtered array with the white list again.
// Note that $filtered is passed as the last parameter, as array_merge
// uses the last value in the resulting array.
$filtered = array_merge( $allowed_keys, $filtered );

// Now we can extract.
extract($filtered);

?>

A few remarks:

• It may not always be convenient to have all post variables escaped. For example, when echo'ing a username, you don't want those extra backslashes in your output. I suggest you to think about why you want this, perhaps there's a better solution.
  
• I'm not using any magic quotes related checks, I'll leave that for you to implement when necessary. Basically, you just need to make your own filter function and use that as callback for array_map.
  

Just remember to always use white lists (not black lists). :)