Jump to content

Correct way to handle unknown GET or POST input

tHud

By tHud
in PHP Coding Help

 Share

Recommended Posts

tHud Member

tHud

Posted
Posted

Hi :)

 

I would like to use a script that could capture GET or POST variables.

 

As I am relatively new to PHP I am not using OOP so have a script that feeds back either POST or GET.

 

As the script doesn't know what it's going to receive, I have been doing this sort of thing...

 


$PARAMS = (count ($HTTP_POST_VARS )) ? $HTTP_POST_VARS : $HTTP_GET_VARS;
foreach ($PARAMS as $key=>$value){ 
if ($key == "product")	{Product();     }
if ($key == "catalog") 	{Category();  }
if ($key == "quality")       {Quality();      }
if ($key == "featured")    {Featured();   }
}

 

But I don't think this is right, is it?

Cold someone direct me to a better way to catch a 'variety' of different inputs/ variables?

 

I'm sorry if I'm not being clear, I'm just trying to improve my understanding and I'm kind of vague on the whole issue right now :(

 

 

 

 

Link to comment
Share on other sites
leehanken Newbie

leehanken

Posted
Posted

I think something to bear in mind is that there could be both post AND get parameters at the same time, so it might be worth checking each. One feature of php is the  $_REQUEST array which is discussed here: http://php.net/manual/en/reserved.variables.request.php with some useful code examples in the comments.

 

The approach you describe is perfectly valid. A switch statement might make it clearer:

...
switch($key) {
case 'product': Product(); break;
case 'category': Category(); break;
case 'quality': Quality(); break;
case 'featured': Featured(); break;
}
...

 

or even, this (very unsecure) code:

 

...
$key = ucfirst(strtolower($key));
if function_exists($key) call_user_function($key,$value);
...

Link to comment
Share on other sites
tHud Member

tHud

Posted
  • Author
Posted

Thank you very much for the response.

I will certainly follow the link you suggested.

 

May I ask* why you say the second code snippet is "very unsecure"?

 

Thanks again :)

 

 

 

* cos it looks pretty cool to my (inexperienced) eye ;)

Link to comment
Share on other sites
leehanken Newbie

leehanken

Posted
Posted

Just that it takes whatever parameter the browser sends to it, and calls a function of that name if the function exists. This would be insecure if a hacker wanted to call some function in your code they could pass anything.

 

This should really not be a problem for educational use.

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.