Jump to content

Foreach and filter question

dk4210

By dk4210
in PHP Coding Help

 Share

Recommended Posts

dk4210 Regular Member

dk4210

Posted
Posted

Hello guy,

 

Just wanted to see how I could resolve this issue

 

I have a foreach loop here that will spit out the vars.

 

foreach (array_keys($_POST) as $key) {
    $$key = $_POST[$key];
   print "$key is ${$key}<br />";
} 

   echo "<br><br><br>This is the viewname" . $viewname;
   echo "<br><br><br>This is the price" . $price;

 

 

I am trying to run the post vars through a filter (The filter name is filter($value) but I cant get it to work.

 

I tried this

 

foreach (array_keys($_POST) as $key) {
    $$key = $_POST[$key];
    $$key = filter($value);
    print "$key is ${$key}<br />";
} 

   echo "<br><br><br>This is the viewname" . $viewname;
   echo "<br><br><br>This is the price" . $price;

 

Any ideas?

 

Thanks, Dan

Link to comment
https://forums.phpfreaks.com/topic/232290-foreach-and-filter-question/
Share on other sites
PFMaBiSmAd Advanced Member

PFMaBiSmAd

Posted
Posted

Variable-variables are three times slower than using an array variable. Why did you switch what you are doing, from your existing thread for this problem?

 

Also, the code you current have exhibits the same security hole that was mentioned in your existing thread and will allow a hacker to set any of your existing variables. So, for example, if you have a variable $admin that determines if I am an administrator to your script, a hacker can set that by including a $_POST['admin'] value when he submits to your code and he can do anything that your script allows an administrator to do.

 

You are trying to execute a filter function on the post data to make it safe, but you are opening up a security hole that is more serious than what the form data could possibly do.

dk4210 Regular Member

dk4210

Posted
  • Author
Posted

Ok point taken so how to I resolve it..

 

Here is my foreach

 

   foreach ($_POST as $key=>$value) {
    $$key = $_POST[$key];
    $$key = filter($value);
    print "$key is ${$key}<br />";
}

 

Here is my filter function

function filter($data) {
    $data = trim(htmlentities(strip_tags($data)));

    if (get_magic_quotes_gpc())
        $data = stripslashes($data);

    $data = mysql_real_escape_string($data);

    return $data;
}

 

How would I code it to patch the gaping security hole that you are referring to?

 

Thanks for all your help

 

dk4210 Regular Member

dk4210

Posted
  • Author
Posted

Hey I tried this code

 

foreach ($_POST as $key => $value) {
    $_POST[$key] = filter($value);
    print "{$key} is {$_POST[$key]}<br />";
    }

 

But when I echo out vars it doesn't work. It did with the 

Like this 
echo "<br><br><br>This is the viewname" . $ad_title;
   echo "<br><br><br>This is the price" . $price;

 

It did work with this code but had the security issue

foreach (array_keys($_POST) as $key) {
    $$key = $_POST[$key];
    $$key = filter($value);
    print "$key is ${$key}<br />";
}

 

Please advise..

PFMaBiSmAd Advanced Member

PFMaBiSmAd

Posted
Posted

Someone gave two different ways of doing this, that are secure, in your first thread for this  -

 

...you should only convert expected variables ...

 

... or you should insure that the variables you create have their own unique name-space so that they cannot overwrite any of your existing program variables.

 

#1 can be accomplished by making an array of the expected index names and use that to iterate over the $_POST array.

 

#2 can be accomplished several different ways -

 

a) Using the $_POST['....'] variables directly in your code (after applying your filter function to them.)

b) Using your $mydata['....'] variables.

c) Using extract() with either the EXTR_PREFIX_ALL or the EXTR_SKIP flag.

 

 

dk4210 Regular Member

dk4210

Posted
  • Author
Posted

That seems to work. But I have a question here.

Does EXTR_PREFIX_ALL add a prefix onto the var name?

 

If so, would it be a good idea to append a prefix and then code a check to make sure that all vars have that prefix and if they don't error out?

 

I was even thinking of creating a table in the db of allowed vars, so if a hacker tried to inject rouge vars, that it would catch it.. Its like a white list

 

What are your thoughts on that?

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.