> I have the following code for order_update.php:
> [code]
> session_start();
> extract($_POST);
> foreach ($_POST as $var => $val) {
>  if ($val > 0) {
>  $_SESSION[$var] = $val;
>  } else {
>  unset($var);
>  }
>  header("Location: order_process.php");
> }
> [/code]
> This is not working, however, and it just loads order_process.php with no
> values for the varaibles, as if I just refreshed the page with no sessions.

Maybe you left it out but I didn't see any place where you used $_SESSION in
order_process.php. Also, your redirect in order_update.php appears to be
inside your foreach loop, which would definitely mess things right up -- but
maybe that was just a typo in your email?

Otherwise the logic in order_update.php looks OK, but there are a few side
notes that jumped out:

1. I'm not seeing why you used "extract($_POST)" in order_update.php. Right
after the extract() call, you iterate through $_POST with a foreach loop, so
what's the purpose of calling extract()? Is there more code that you left

2. Calling "extract($_POST)" is dangerous. The PHP manual warns against it,
although without giving much of an explanation:


Apart from making it difficult to filter the input you're expecting to see,
"extract($_POST)" also allows a malicious end-user to define any variable of
his choosing and to overwrite any variables that you may have defined in the
script before the extract() call.

I like to use filter_input() to read the values of POST variables.

By much the same token, you'll want to escape $a, etc., in your
writeResultRow() function, with something like htmlentities().

3. Why the "unset($var)" in order_update.php? $var already gets reset each
time foreach iterates. So, calling unset() on it at the end of the loop
doesn't really do much. I'm wondering what you were aiming at there.



Reply via email to