1. Home
  2. Forums Index
  3. Server Side / PHP Server Side Scripting 6:00 am Apr 28, 2026

Forum Moderators: coopster

Message Too Old, No Replies

How to access $ POST key names and values in a function

Using drop-down results from a dynamically generated form

         

WaveLength

11:36 pm on Jul 8, 2011 (gmt 0)

10+ Year Member



This code is for a survey. Participants are asked to rate factors that might motivate them on a scale of 1 to 7. The number of factors may vary, so I have used a loop to create the necessary drop down boxes, as needed.

After submitting the form, I need to refer to the drop down boxes by name, in order to store the names and values with an INSERT MySQL query.

Unfortunately, I have not found a way to refer to both the field names and the values. Does anyone know how? I would very much appreciate a complete answer, as my knowledge of programming is limited. Thanks. Here is some of the form code: 

<form action="" method="post" name="FeedbackForm">
<p>Please choose a number to represent the impact each of these factors had on your choice today. 1 means not important, while 7 means extremely important.</p>
<script language="php">
$_SESSION['ReasonsMultipleChoice'] = getReasonsMultipleChoice(); #The factors or choice reasons are obtained from a MySQL table, ORDER BY RAND().
$_SESSION['CountReasons'] = count($_SESSION['ReasonsMultipleChoice']);

for ($i=1;$i<=$_SESSION['CountReasons'];$i++)
{
$ReasonID = "Reason".$_SESSION['ReasonsMultipleChoice'][$i]['ReasonID'].'[]';
print "<select name='$ReasonID' >";

 for ($k=1;$k<=7;$k++)
 {
 print "<option value='$k'>$k</option>";
 }
print "</select> " . $_SESSION['ReasonsMultipleChoice'][$i]['ReasonDescription']. " <br />"; # This is just the name of each factor.
}

<input type='submit' name='FeedbackButton' value='Submit your feedback.'>
</form>



I found the following code on a forum - to use after posting - but don't know how to make it work: 


foreach (array_keys($_POST) as $key){
$$key = $_POST[$key];
print "$key is ${$key}<br />";
}


The results look like this:
Reason2 is Array
Reason5 is Array
Reason8 is Array
etc

These results are not useful.

I have also tried Extract, but I don't know how to use the results, and security seems to be an issue.

Does anyone know how to access the dynamically generated $_POST key names and values for use in a function - in order to insert the form results into a MySQL table?

Thanks.

WaveLength

11:58 pm on Jul 8, 2011 (gmt 0)

10+ Year Member



Okay, I figured out how to improve the results by shortening one line, as follows: 

$ReasonID = "Reason".$_SESSION['ReasonsMultipleChoice'][$i]['ReasonID'];

WaveLength

12:40 am on Jul 9, 2011 (gmt 0)

10+ Year Member



I've figured it out - I think. Any suggestions for improvement?

Is this particularly vulnerable to attack? If so, how can I make it more secure?

if (isset($_POST['FeedbackButton']))
{
$i=1;
foreach (array_keys($_POST) as $key){
$$key = $_POST[$key];
if (substr($key, 0, 6)=="Reason")
{
$_SESSION['Reason']['ID'][$i]=substr($key, 6);
$_SESSION['Reason']['Strength'][$i]=${$key};
$i+=1;
}

penders

12:08 pm on Jul 9, 2011 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month 



foreach (array_keys($_POST) as $key) {  
  $$key = $_POST[$key]; 
  :


I'm not sure why you feel you need to do this. This turns your $_POST array into a series of (global) variables. ie. $_POST['ReasonX'] results in a global variable being created called $ReasonX holding the value $_POST['ReasonX']. This emulates the register_globals directive and is indeed a potential security problem. A hacker could (potentially) submit garbage in the $_POST array and overwrite some of your legitimate global variables.

To step through the keys and values in your $_POST array you can use a variation of the foreach() statement... 

if (isset($_POST['FeedbackButton'])) { 
  $i = 1; 
  foreach ($_POST as $key => $value) {  
    if (substr($key, 0, 6) == "Reason") {  
      $_SESSION['Reason']['ID'][$i] = substr($key, 6);  
      $_SESSION['Reason']['Strength'][$i] = $value;  
      $i+=1; 
    }


You probably also want to validate that $value is indeed a value between 1 and 7 before assigning to your session variable. (A hacker could submit anything.)

Readie

2:35 pm on Jul 10, 2011 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member 



foreach (array_keys($_POST) as $key) { 
  $$key = $_POST[$key];


As Penders said: This is a massive security flaw. A far better approach is to loop through an array of expected keys: 

foreach(array(
  'postKeyOne',
  'postKeyTwo'
) as $key) {
  if(isset($_POST[$key])) {
    $$key = $_POST[$key];
  }
}

WaveLength

9:31 pm on Jul 12, 2011 (gmt 0)

10+ Year Member



Thanks for both suggestions. I don't fully understand why this is a security flaw, but I have taken your advice. I have used Pender's suggestion, because the number of reasons could vary.

As for cleaning user input in the $_POST array, I have been relying on the following code. Is it adequate?




function ValidateInput()
{
$temp=array();
$temp=$_POST;
$_POST= array();

foreach ( $_temp as $key=>$value )
{
$cleanthis = $value ;
$cleanthis = @substr($cleanthis, 0, 1000);
include('cleanthis.php');
$cleanthis = trim(strip_tags($cleanthis ));
$value = $cleanthis;
$temp[$key]=$value;
}
$_POST = $temp;
}



Here is the include code:


$cleanthis = preg_replace('/&#35/i', '#', $cleanthis);
$cleanthis = preg_replace('/&#37/i', '%', $cleanthis);
$cleanthis = preg_replace('/&#38/i', '&', $cleanthis);
$cleanthis = preg_replace('/&#40/i', '(', $cleanthis);
$cleanthis = preg_replace('/&#41/i', ')', $cleanthis);
$cleanthis = preg_replace('/&#58/i', ':', $cleanthis);
$cleanthis = preg_replace('/&#59/i', ';', $cleanthis);
$cleanthis = preg_replace('/&#60/i', '>', $cleanthis);
$cleanthis = preg_replace('/&#62/i', '<', $cleanthis);
$cleanthis = preg_replace('/&#61/i', '=', $cleanthis);
$cleanthis = preg_replace('/&#091/i', '[', $cleanthis);
$cleanthis = preg_replace('/&#093/i', ']', $cleanthis);
$cleanthis = preg_replace('/&#094/i', '^', $cleanthis);
$cleanthis = preg_replace('/&#096/i', '\`', $cleanthis);
$cleanthis = preg_replace('/&#123/i', '{', $cleanthis);
$cleanthis = preg_replace('/&#125/i', '}', $cleanthis);

$cleanthis=stripslashes($cleanthis);

$cleanthis = preg_replace('/</i', '', $cleanthis);
$cleanthis = preg_replace('/>/i', '', $cleanthis);
$cleanthis = preg_replace('/"/i', '', $cleanthis);
$cleanthis = preg_replace('/#/i', '', $cleanthis);
$cleanthis = preg_replace('/%/i', '', $cleanthis);
$cleanthis = preg_replace('/:/i', '', $cleanthis);
$cleanthis = preg_replace('/;/i', '', $cleanthis);
$cleanthis = preg_replace('/=/i', '', $cleanthis);
$cleanthis = preg_replace('/\[/i', '', $cleanthis);
$cleanthis = preg_replace('/]/i', '', $cleanthis);
$cleanthis = preg_replace('/\^/i', '', $cleanthis);
$cleanthis = preg_replace('/\`/i', '', $cleanthis);
$cleanthis = preg_replace('/{/i', '', $cleanthis);
$cleanthis = preg_replace('/}/i', '', $cleanthis);
$cleanthis = preg_replace('/&&/i', '', $cleanthis);
$cleanthis = preg_replace('/--/i', ' ', $cleanthis);



Thanks.

$cleanthis=addslashes($cleanthis);
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. Server Side / PHP Server Side Scripting 6:00 am Apr 28, 2026