Safely extracting variables in PHP : Problem

Home » Articles » Safely extracting variables in PHP

Safely extracting variables in PHP
by Amit Arora
Published: August 7, 2003
User Rating: 7.7 (20 votes)

Page » 1 2 3 4 5

Overview

All of us, one time or the other had to make a form, be it a small feedback form to complex data entry modules. After form has been submitted we then process that form and take the appropriate actions whether that was mailing the form or entering data into the database.

But before we could do that, we have to actually prepare the data according to the server configuration and taking care of the magic_quotes_gpc = On/Off; and register_globals = Off/On; settings.

And this issue has created more confusion from PHP 4.1.0, as register_globals has been turned off by default for security reasons.

Problem

Lets take a simple example and highlight the problem. Lets take a small feedback form:

<form name='frmFeedback' action='post.php' method='post'> Name <input type='text' name='name' /><br /> Email <input type='text' name='email' /><br /> Subject <input type='text' name='subject' value='<?php echo $subject; ?>' /><br /> </form>

Now if we call this form like this http://www.digitalamit.com/feedback.php?subject=Testing, the value "Testing" should be placed in the subject field BUT when the form is called like this http://www.digitalamit.com/feedback.php?email=email@domain.com, we don't want the email to be displayed in email field (to prevent any misuse).

Case 1: gloabal_vars = On;
In this case, calling the url like this http://www.digitalamit.com/feedback.php?subject=testing&email=email@domain.com or submitting the form would inturn create a global variable $email = 'email@domain.com' which we don't want. But it would also create variable $subject = 'testing', which we want.

Case 2: gloabal_vars = Off;
In this case, calling the url like this http://www.digitalamit.com/feedback.php?subject=testing or submitting the form would create no gloabal, variables which we don't want.

Case 3: magic_quotes_gpc = On;
In this case, submitting the form with subject field as [It's my life] would create a variable $subject = "It\'s my life" and will have to use strip_slashes().

Case 4: magic_quotes_gpc = Off;
In this case, the data returned is what we want. But mind you, submitting the form with subject field as [It"s my life] would create a variable $subject = "It"s my life", but atleast we would have a formed a base data, which we can process further.

» Solution

Page » 1 2 3 4 5

About

Amit Arora is web developer with expertise in developing eCommerce enabled websites for the businesses.

Contact | Resume

Monitored by Site24x7
Uptime

About

Subscribe to newsletter