$ POST foreach seccurity?

Forum Moderators: coopster

Message Too Old, No Replies

$ POST foreach seccurity?

jman11

1:33 pm on Oct 14, 2009 (gmt 0)

is there a security issue for using:

foreach($_POST as $key => $value) {
$$key = $value;
}

because i know if you use extract in the same way then its like having register_globals = on. is this the same thing or am i fine to use it

Pico_Train

2:47 pm on Oct 14, 2009 (gmt 0)

if you are worried do this, will definetely help:

foreach($_POST as $key => $value) {
$post[$key] = mysql_real_escape_string($value);
}

eelixduppy

3:03 pm on Oct 14, 2009 (gmt 0)

Either of those are still emulating register globals in the same way, but just for POSTed variables. It depends on where in your code you have this. You don't want to be overwriting any variables you have already set, even if you don't mean to that doesn't mean someone can't POST something else to the script which would overwrite a variable you have there. If you can get around it, I would not use this little hack unless it was necessary.

idfer

7:37 pm on Oct 14, 2009 (gmt 0)

The loop in the OP is actually a bit worse than register_globals, at least on my development setup. Register_globals doesn't override super globals like $_SERVER, $_COOKIE, $_SESSION, but that loop does. You're probably safe if your script is super simple, but why take the chance.

The second loop isn't much better, it basically creates a copy of $_POST while emulating magic_quotes, sort of, because it breaks if some elements in $_POST are arrays. It's generally not a good idea to encode your values for a specific format (in this case SQL) so early in your script. If you need to use the values in some other formats, e.g. an email message or echo back to the browser, you need to undo the encoding, an extra step that complicates your program unnecessarily.

There's a reason magic_quotes and register_globals are being deprecated. Shortcuts just leave your program open to bugs and security holes. :)

jman11

4:27 am on Oct 15, 2009 (gmt 0)

makes sense. there is no real reason for me to use it, other than my laziness to type underscores and caps :p ill do without for now, thanks

idfer

6:34 pm on Oct 15, 2009 (gmt 0)

Ah if it's to avoid the dreaded underscores, give this a try:

function getPostVars($vars) {
 $values = array();
 foreach($vars as $key) {
  $values[$key] = $_POST[$key];
 }
 return $values;
}
extract(getPostVars(array('field1', 'field2', 'etc')));

For security, the important thing is that you only reference selected entries in $_POST so hackers can't inject their own values into other variables.

You could even expand that function to trim values and/or stripslashes if magic_quotes is on, e.g.:

function getPostVars($vars) {
 $values = array();
 foreach($vars as $key) {
 if(isset($_POST[$key]) && !is_array($_POST[$key]))
  $values[$key] = trim($_POST[$key]);
 else
  $values[$key] = $_POST[$key];
 }
 return $values;
}

Pico_Train

4:48 am on Oct 16, 2009 (gmt 0)

If it is a multi-dimensional array, I don't use that "hack". So far so good, no problems with it since I've been using it by sending the $_POST to my function and renaming it $post. But thanks for the insight...