Create variables from $_POST

**flann** · 08-17-2007, 02:23 PM

When I first started using php, I would manually create a variable from $_POST like so.

PHP Code:


			
$name = $_POST['name'];
$email = $_POST['email'];

My lack of knowledge of php at the time cost me lots of time creating these variables. Sure, you could simply turn on register_globals, but that's a security thing.

Here is a way that you can simply create variable from post and also a simple function to sanitize them a bit.

PHP Code:


			
function sanitize($v) {
 return htmlentities(stripslashes(strip_tags($v)));
}

foreach ($_POST as $n=$v) {
 ${$n} = sanitize($v);
}

Now you'll have sanitized variables created.

**goheadtry** · 08-17-2007, 03:03 PM

Do not make them into variables you may end up with injection which is a bad thing ; figure out a way to read the format and if it is in the wrong format make it say this is not an email ETC.

**flann** · 08-17-2007, 03:15 PM

do you know of a way to improve my sanitize function to avoid injection?

**bhgchris** · 08-17-2007, 03:20 PM

If you're trying to create variables from the indexes of the $_POST array, the solution you posted will work fine. I'm guessing your reason for wanting to do this is simply so you don't have to type out $_POST['']

I have a function similar to your sanitize() function but I call mine sql_insert(). I like your verbage better

**flann** · 08-17-2007, 04:00 PM

goheadtry suggested that someone could inject into my code. Am I missing anything in my sanitize() function that could pose a security risk? If so, could I see some samples of how to inject into my code.

**bhgchris** · 08-17-2007, 04:07 PM

Your sanitize() looks safe to me. I'm not sure what goheadtry was referring to. Then again, I am not xss/sql injection expert.

Maybe try to test your own forms with some of the xss/injection methods listed here:

http://ha.ckers.org/xss.html

**JamieLewis** · 08-17-2007, 04:11 PM

Looks completely fine. A nice way to neutralise use input. Ignore goheadtrys comment, I think he got confused between injection threats and validation.

Jamie

**dansgalaxy** · 08-17-2007, 04:13 PM

i would like to learn more about how injecting works.. anyone got any good sites to look at which have examples etc?

Dan

**JamieLewis** · 08-17-2007, 04:19 PM

Dan: Injecting is the process of inserting code into an sql statement to do something unintended, this could be anything from making the database spew its contents to gaining admin privs.

It is amazing how many sites still don't employ the simple defenses, all they need to do is strip use input of slashes and other special characters.

The most simple injection in 'OR 1=1, this is used in admin login forms to gain permissions. If you imaging the sql statement would evaluate to 2, if no checking is done of passwords after wards then the site would give the user the privs.

Jamie

**bhgchris** · 08-17-2007, 04:20 PM

check out the link I just posted

**dansgalaxy** · 08-17-2007, 04:23 PM

i did and in the first few lines it said this isnt for people who dont know about it.. i looked but couldnt see injections for dummies link

**bhgchris** · 08-17-2007, 04:24 PM

wikipedia is god: http://en.wikipedia.org/wiki/SQL_injection

**dansgalaxy** · 08-17-2007, 04:29 PM

dont you find ti funny how the best sites as in the most useful with info dont have ads or have minimal small text ads..

**mgraphic** · 08-17-2007, 04:48 PM

Christopher has some good posts on the subject of SQL injections and XSS attacks.

http://www.webmaster-talk.com/php-fo...injection.html

http://www.webmaster-talk.com/php-fo...s-attacks.html

**flann** · 08-17-2007, 05:03 PM

another good way to avoid sql injections is to use prepared statements. PDO and Pear both offer a good solution to this for PHP.

**dansgalaxy** · 08-17-2007, 08:44 PM

ill have a look see at thoese threads.

Is this kidn of thing something that should be a issue when making scripts?
like whats the chnaces of it happening?

**goheadtry** · 08-18-2007, 02:59 AM

Quote:

Originally Posted by JamieLewis

Dan: Injecting is the process of inserting code into an sql statement to do something unintended, this could be anything from making the database spew its contents to gaining admin privs.

It is amazing how many sites still don't employ the simple defenses, all they need to do is strip use input of slashes and other special characters.

The most simple injection in 'OR 1=1, this is used in admin login forms to gain permissions. If you imaging the sql statement would evaluate to 2, if no checking is done of passwords after wards then the site would give the user the privs.

Jamie

Yes or giving it a command that will fail and another command that will take it's place which then is used as the command instead what are variables think about place holders if you are giving a place holder a value that can be inputed like this do=update for example and it does sql commands they could change update to delete do you see what I mean? or file=ham.php instead file=../password.txt because you made it go one directory behind the main site etc or forgotpassword='OR 1=1 things like that

**dansgalaxy** · 08-18-2007, 07:10 AM

Ok i think i kind get the idea,

Im using

PHP Code:


			
$user             =(isset($_POST['user']))      ? mysql_real_escape_string($_POST['user'],$link_db)      : '';

so am i right that this is "protecting" me from this kind of thing?

where as if i was using just

PHP Code:


			
$user = $_POST['user'];

they could do SQL injection?
Thanks,
Dan