8

Can someone explain to me why you can't pass a key as reference?

Ex:

if(is_array($where)){
    foreach($where as &$key => &$value){
        $key = sec($key);
        $value = sec($value);
    }
    unset($key, $value);
}

Throws:

Fatal error: Key element cannot be a reference in linkstest.php on line 2

Can I do something similar using array_map? All I want to do is iterate over an associative array, and escape both the key and value with my sec() function.

Array map is difficult for me to understand:

I have tried many things with array_map, but I can't get it to act on the keys directly.

Would I get any performance benefit using array map than just using a foreach loop?

What I don't like about foreach is that I can't act on the array directly, and have to deal with creating temporary arrays and unsetting them:

foreach($where as $key => $value){
 $where[secure($key)] = secure($value);
}

This might fail if it finds something to escape in the key, adding a new element, and keeping the unescaped one.

So am I stuck with something like this?

$temparr = array();
foreach($where as $key => $value){
 $temparr[secure($key)] = secure($value);
}
$where = $temparr;
unset($temparr);

Any alternatives?

Ben
  • 745
  • 7
  • 23
  • This deserves a big old *Why*? What if `sec($key)` results in the value of another existing key? Do you just overwrite the existing key? You need to explain why in your application a key could be dangerous. – webbiedave Sep 30 '11 at 22:17
  • Why couldn't it be dangerous? You can easily change $_POST keys on forms, or with something like Tamperdata. Some keys I use in mysql queries. – Ben Sep 30 '11 at 22:24
  • I didn't say that they couldn't be. I said you need to explain why in *your application* a key could be dangerous. That will tell us the best approach to use for your situation. – webbiedave Sep 30 '11 at 22:30
  • Well I modify keys and values a lot, not just for mysql. I am learning PDO, and prepared statements, slowly so it will apply less there... But say I want to replace a string both in the key and value of an array, or change to uppercase, or do any number of things. – Ben Sep 30 '11 at 22:33

2 Answers2

10

Can someone explain to me why you can't pass a key as reference?

Because the language does not support this. You'd be hard-pressed to find this ability in most languages, hence the term key.

So am I stuck with something like this?

Yes. The best way is to create a new array with the appropriate keys.

Any alternatives?

The only way to provide better alternatives is to know your specific situation. If your keys map to table column names, then the best approach is to leave the keys as is and escape them at their time of use in your SQL.

webbiedave
  • 48,414
  • 8
  • 88
  • 101
0

why is it a problem to do that? Make it a function. A function takes an input and gives an output. Your function input will be your "unsecured" array. Your output will be the result of securing the array.

Then you just do

$where = secureMyArray($where);

That's why you have the ability to make functions...

Zak
  • 24,947
  • 11
  • 38
  • 68