pass each 'name' value form inputs into dynamically created variables
I was making a form that is um... quite large and all inputs consist of the form looking like
<input type="text" id="first_name" name="first_name" />
so instead of having to do
$first_name = $_POST['first_name'];
and so on for every input, is there a way to grab every 'name' or 'id' from each input within the <form></form>
and apply to a variable of the same value of the 'name' or 'id'.
I was thinking of something like a foreach
statement?开发者_开发知识库?
Any ideas?
EDIT:
Given this little snippet of code here, how can it be use to now use the example given below?
function filter($data) {
$data = trim(htmlentities(strip_tags($data)));
if (get_magic_quotes_gpc())
$data = stripslashes($data);
$data = mysql_real_escape_string($data);
return $data;
}
foreach($_POST as $key => $value) {
$data[$key] = filter($value);
echo $value . '<br />';
}
This is a bad idea using extract
or a foreach
, it would allow someone to hijack a variable in your code.
Imagine the following
$my_user_id = 10;
extract($_POST);
// Load the user for $my_user_id using MYSQL
// Change some value of the user for $my_user_id
// Update the database for user $my_user_id
What happens when a user hacks your form and changes the value of my_user_id
?
They will be able to change the values for a user other than the one you intended them to change.
You should only get the values fro $_POST
that you KNOW are OK and should be there. Do not grab everything and assume it is meant to be there.
Such a variable assignment is very bad idea. A malicious user can rewrite any variable in your program this way.
Never do such things.
You are right about foreach statement. But do not use it for setting variables - just use it to accomplish your script goal. Iterate $_POST and put it's values into query or mail body or whatever. No need for global scope variables
As I have said above, use foreach
for the real automation.
You can use this function to produce a SET
SQL statement out of array of field names and $_POST array:
function dbSet($fields) {
$set='';
foreach ($fields as $field) {
if (isset($_POST[$field])) {
$set.="`$field`='".mysql_real_escape_string($_POST[$field])."', ";
}
}
return substr($set, 0, -2);
}
$fields = explode(" ","name surname lastname address zip fax phone");
$query = "INSERT INTO $table SET ".dbSet($fields);
精彩评论