Loading ...
Sorry, an error occurred while loading the content.

Re: [phpResource] Using extract();

Expand Messages
  • Paul Herring
    ... Which part of that are you having difficulty with?
    Message 1 of 5 , Aug 1 1:30 AM
    • 0 Attachment
      On 8/1/06, Bob <helldrivers@...> wrote:
      If I use extract($_POST, EXTR_IF_EXISTS);
       
      How do I define which variables will be received?
      I'm presuming that I can limit what gets through.
       
      The manual doesn't give much help to me:-
      "Only overwrite the variable if it already exists in the current symbol table, otherwise do nothing. This is useful for defining a list of valid variables and then extracting only those variables you have defined out of $_REQUEST".

      Which part of that are you having difficulty with?

      <? // start of scope
      $postvar1 = 0;
      $postvar2 = 0;
      extract($_POST, EXTR_IF_EXISTS); // will overwrite $postvar1 and $postvar2 if supplied in $_POST. Will not create other variables.
      ?>

      Incidentally, you /did/ notice the warning in the manual? From http://uk.php.net/extract :

      Do not use extract() on untrusted data, like user-input ($_GET, ...). If you do, for example, if you want to run old code that relies on register_globals  temporarily, make sure you use one of the non-overwriting extract_type values such as EXTR_SKIP and be aware that you should extract in the same order that's defined in variables_order within the php.ini.

      EXTR_IF_EXISTS is an overwriting extract_type value - they type specifically contraindicated by this warning.



      --
      PJH

      Into motorcycles? Need parts? Try www.gissit.com to contact lots of motorcycle breakers - free to use (UK based at the moment)
    • Bob
      ... From: Paul Herring Which part of that are you having difficulty with?
      Message 2 of 5 , Aug 1 9:06 AM
      • 0 Attachment
        ----- Original Message -----
        From: Paul Herring
        Which part of that are you having difficulty with?

        <? // start of scope
        $postvar1 = 0;
        $postvar2 = 0;
        extract($_POST, EXTR_IF_EXISTS); // will overwrite $postvar1 and $postvar2 if supplied in $_POST. Will not create other variables.
        ?>

        Incidentally, you /did/ notice the warning in the manual? From http://uk.php.net/extract :

        Do not use extract() on untrusted data, like user-input ($_GET, ...). If you do, for example, if you want to run old code that relies on register_globals  temporarily, make sure you use one of the non-overwriting extract_type values such as EXTR_SKIP and be aware that you should extract in the same order that's defined in variables_order within the php.ini.

        EXTR_IF_EXISTS is an overwriting extract_type value - they type specifically contraindicated by this warning.
        ====================================

        Hi Paul,

        It was just how to set them:
        $postvar1 = 0;
        $postvar2 = 0;
        Now that I've seen your example, it's obvious. The current symbol table threw me. I was thinking there must be some fancy way of setting it :-)

        I see your point that if someone guessed any variable I was using (and it had a value, or not null), it would get overwritten. I'm beginning to think that extract() isn't not such a good idea for $_POST, yet it's shown in many examples I've seen.
        Regards, Bob E.

      • Paul Herring
        ... You may want to come up with your own function to do this - there s source in the link I provided which could give you a start perhaps. -- PJH Into
        Message 3 of 5 , Aug 1 10:08 AM
        • 0 Attachment
          On 8/1/06, Bob <helldrivers@...> wrote:
          ----- Original Message -----
          From: Paul Herring
          Which part of that are you having difficulty with?

          <? // start of scope
          $postvar1 = 0;
          $postvar2 = 0;
          extract($_POST, EXTR_IF_EXISTS); // will overwrite $postvar1 and $postvar2 if supplied in $_POST. Will not create other variables.
          ?>

          Incidentally, you /did/ notice the warning in the manual? From http://uk.php.net/extract :

          Do not use extract() on untrusted data, like user-input ($_GET, ...). If you do, for example, if you want to run old code that relies on register_globals  temporarily, make sure you use one of the non-overwriting extract_type values such as EXTR_SKIP and be aware that you should extract in the same order that's defined in variables_order within the php.ini.

          EXTR_IF_EXISTS is an overwriting extract_type value - they type specifically contraindicated by this warning.
          ====================================

          Hi Paul,

          It was just how to set them:
          $postvar1 = 0;
          $postvar2 = 0;
          Now that I've seen your example, it's obvious. The current symbol table threw me. I was thinking there must be some fancy way of setting it :-)

          I see your point that if someone guessed any variable I was using (and it had a value, or not null), it would get overwritten. I'm beginning to think that extract() isn't not such a good idea for $_POST, yet it's shown in many examples I've seen.
           

          You may want to come up with your own function to do this - there's source in the link I provided which could give you a start perhaps.


          --
          PJH

          Into motorcycles? Need parts? Try www.gissit.com to contact lots of motorcycle breakers - free to use (UK based at the moment)
        Your message has been successfully submitted and would be delivered to recipients shortly.