Well, I just "upgraded" a number of PHP scripts to function with
register_globals turned off, and now better understand what's required to
work with variables more securely.

I wanted to share that the extract() command turned out to be a big help.
Using it meant I didn't have to put $_POST[' '] around every variable passed
by a form. Instead, I put one or both of these lines of code at the
beginning of scripts that use forms or receive vars passed via the URL:


extract() creates local variables using the 'key' and 'value' from the
$_POST or $_GET arrays. I even discovered it works with multidimensional
arrays that may be passed by forms. In that case, if I have an array named
"formvar" that collects all data from the form (i.e., $formvar['name'],
$formvar['address'], etc.), then I use extract this way:


This will create local variables named $name and $address that contain the
values passed from the form. Here's where you can find more about this
function: http://www.php.net/manual/en/function.extract.php

One thing to remember is that if you put extract() in a custom function
(which I did initially), it won't really work because the variables are
created only within the scope of the function, so, as soon as it returns to
the script, the vars it created are released.


PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to