TalkPHP

TalkPHP (http://www.talkphp.com/forums.php)
-   Absolute Beginners (http://www.talkphp.com/absolute-beginners/)
-   -   $_POST: Are both approaches equally good? (http://www.talkphp.com/absolute-beginners/5067-_post-both-approaches-equally-good.html)

Dave 10-28-2009 01:23 AM
$_POST: Are both approaches equally good?
 
Take a look at the code below regarding POST. Which is better?

PHP Code:
$sql "SELECT   teachername
               , statecourse
               , semester
               , meetingcode
               , last_name
               , first_name
          FROM $c_tblname
         WHERE teachername = \"{$_POST['teachername']}\" and
               semester    = \"{$_POST['semester']}\"    and
               meetingcode = \"{$_POST['meetingcode']}\" ";

//------------------------------------------

extract ($_POST) ;
$sql "SELECT   teachername
               , statecourse
               , semester
               , meetingcode
               , last_name
               , first_name
          FROM $c_tblname
         WHERE teachername = '$teachername' and
               semester    = '$semester'    and
               meetingcode = '$meetingcode' "
Thanks!

etoolbox 10-28-2009 02:25 AM
They're both equally bad from the perspective of SQL injection: http://en.wikipedia.org/wiki/SQL_injection

Even if there's no intentional SQL injection your query will error out if any of the submitted data contains a " in the first example or a ' in the second.

Once you've learned about escaping user submitted data, I would recommend *not* using extract. The PHP manual page itself ( http://www.php.net/extract ) recommends "Do not use extract() on untrusted data, like user input (i.e. $_GET, $_FILES, etc.)"

There's no sense using extract() anyway, and it may overwrite variables you have already set up, further opening your code up to abuse.

Dave 10-28-2009 02:49 AM
Thanks. I had read the PHP manual advisory previously, but since then I have also read a couple of blogs about how great extract() was. But I hadn't thought about it overwriting existing variables, which is not a good thing.

Dave

etoolbox 10-28-2009 09:05 AM
Funnily enough I've just read a post which talks about SQL injection along with some examples: http://blog.tuvinh.com/top-7-php-security-blunders/

Some other useful stuff in there too.

sketchMedia 10-28-2009 09:43 AM
Quote:
Originally Posted by etoolbox (Post 29011)
There's no sense using extract() anyway, and it may overwrite variables you have already set up, further opening your code up to abuse.
That problem is solved by using the EXTR_PREFIX_SAME flag.

etoolbox 10-28-2009 10:02 PM
Quote:
Originally Posted by sketchMedia (Post 29014)
That problem is solved by using the EXTR_PREFIX_SAME flag.
Good point. I've also had another look at the docs and you can also specify what to do with collisions with the extract_type parameter. I still wouldn't use this function myself though.

delayedinsanity 10-29-2009 02:19 AM
Extract is a handy little fella in some situations, no sense in ruling it out; I've written numerous functions in the past where I wanted/needed to return multiple arrays of data. Nest the arrays, return it, and extract it on the other side into it's components. No fuss.


All times are GMT. The time now is 05:40 AM.

Powered by vBulletin® Version 3.6.8
Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Search Engine Optimization by vBSEO 3.1.0