0

I often use the following lines to simplify handling form input.

foreach($_POST as $key => $value){
    $$key = $value;
}

This is really handy because you only need there lines and you've got all of the things you submitted as variables, but every time I use it, I think that I am overlooking something. There is a bit of danger in accidentally having multiple variables named the same thing, but I'm more worried about security. Is there some way that this would be a vulnerability in that regard? i.e. the user fabricates some form input with a malicious name?

pocketg99
  • 124
  • 1
  • 12
  • Your code is very similar to what [`register_globals`](https://php.net/manual/security.globals.php) used to do. And that feature was removed for [good reasons](https://stackoverflow.com/questions/1417373/why-is-register-globals-so-bad). – Yoshi Mar 19 '15 at 15:19

1 Answers1

2

First of all, you can do this with extract, no loop required:

extract($_POST);

As far as security concerns, of course there are security concerns anytime you use user submitted data. You want to be sanitizing any user input. This holds true regardless of whether you extract the input to local variables or just use the $_POST array.

Some would argue that extracting to local variables makes it easier to forget to sanitize, since it's less clear later in your code which variables are user submitted.

Bringing user submitted data into local variables makes it easy for a user to overwrite a pre-existing local variable that you setup (unless you use the EXTR_SKIP flag).

I'd advise against the practice.

JoeCoder
  • 870
  • 5
  • 4