You can still use extract($_POST).
It is as safe/vulernable as $_POST['isAdmin'].

In either case, use only variables that you know are yours and be certain these contain
values which you believe to be safe.
For instance, if you expect a variable called $firstname to contain a name to be 
stored in
a SQL database, be certain it does not contain SQL commands which can damage your

Also, if a cracker simply floods your script with variables, they will not do damage if
you have verified their contents.  For instance:

$isAdmin = "";
if( $isAdmin=="JohnDoe")
 do secure stuff;

In the above code, if a cracker has inserted a variable called $isAdmin, it will be 
before extracting from the form.  Be advised, that a cracker can create his own form 
$isAdmin in it and submit it to your script.  Using $_POST['isAdmin'] will NOT protect
Bottom line: you can be cracked.  There are no certain protections.

----- Original Message -----
From: "Monty" <[EMAIL PROTECTED]>
Sent: Friday, October 25, 2002 3:13 PM
Subject: Re: [PHP] extract($_POST)

Okay, I really want to understand how to make $_GET and $_POST more secure
because it means changing a fundamental way my scripts are now working.

So, it sounds like what I need to do in order to make form data more secure
is something like this...

$isAdmin = $_POST['isAdmin'];
$myName = $_POST['myName'];
$myPrefs = $_GET['myPrefs'];

Instead of this...


Is this correct?? Now, I can see how this will prevent a cracker from
flooding a script with invalid variables that are all extracted into local
vars, but, I don't see how this will prevent someone from hijacking the vars
and inserting their own data. Validating that kind of attack seems almost
impossible to do especially for things like forms that collect contact info.
I really don't want to have to validate every field for every legal
possibility (especially fields like Country).

I've read here that HTTP_REFERER is unreliable and can be easily spoofed,
but, is there a more reliable way to know where the $_POST and $_GET data is
coming from? Perhaps by IP of my server, or using $_SERVER['SERVER_NAME']?

Is there any superglobal variable that would be unique to my web server that
CANNOT be spoofed or easily changed by a cracker that I can use as a check
to be sure the data is being submitted from a form on my site on not from
someone else's site?

Thanks a lot, guys!


> From: [EMAIL PROTECTED] (Paul Nicholson)
> Organization: WebPower Design
> Newsgroups: php.general
> Date: Fri, 25 Oct 2002 13:06:10 -0400
> To: "Johnson, Kirk" <[EMAIL PROTECTED]>, PHP General
> Subject: Re: [PHP] extract($_POST)
> Hash: SHA1
> On Friday 25 October 2002 11:23 am, Johnson, Kirk wrote:
>>> And what should these precautions be?  If a malicious user can submit
>>> his own form and you are looking for a POST variable, how can you
>>> ensure that $admin came from your form and not that user's?
>> The problem is when a cracker uses form variables in an attempt to set the
>> values of "flag" variables kept only in the session, for example, $isAdmin.
>> As far as the form variables *you* put in your form, it doesn't matter
>> whether the user submits your form or a form they made themselves. Those
>> form variables are just data you are trying to collect.
>> With register_globals on, PHP takes *all* variables (GET, POST, COOKIE)
>> received from the client and assigns them to global variables. So if the
>> user posts a value for $isAdmin, she can give herself admin privileges.
>> The key is to retrieve *only* the form variables *you* put in the form from
>> the the $_POST array. So don't write a loop and grab *everything* from that
>> array.
>> Kirk
> Exactly! Not only should you retrieve *only* the vars you need from POST,
> you should also filter them to make sure they contain what you're looking
> for.....is_alpha($_POST['name']). And no, php doesn't have an 'is_alpha'
> function....I created that as part of a filtering class.
> ~Paul
> - --
> ~Paul Nicholson
> Design Specialist @ WebPower Design
> "The web....the way you want it!"
> "It said uses Windows 98 or better, so I loaded Linux!"
> Registered Linux User #183202 using Register Linux System # 81891
> Version: GnuPG v1.0.6 (GNU/Linux)
> Comment: For info see
> iD8DBQE9uXoKDyXNIUN3+UQRAkugAJ0aftPjxhmV0tSk125UZSTCuWp47QCfaKJ7
> z5+ja1P4NtWUwVMCMsFVt2M=
> =UG2o

PHP General Mailing List (
To unsubscribe, visit:

PHP General Mailing List (
To unsubscribe, visit:

Reply via email to