|
|
Posted by Colin Fine on 10/29/06 17:53
Chuck Anderson wrote:
> Geoff wrote:
>>> I urge you to fix this, but in the mean while:
>>> extract($_GET);
>>> --
>>> Rik Wasmus
>>>
>>
>> What is the new way to do this?
>> I've read through the link you gave me but it isn't completely clear to
>> me.
>>
>> Geoff
>>
>>
> Quick and dirty:
>
> Use a text editor to include a script at the very beginning of every php
> file:
>
> <?php
> include 'extractor.php';
> ?>
>
> Put this in extractor.php
>
> <?php
> if (is_array($_GET))
> {
> foreach ($_GET as $xxkey => $xxvalue)
> {
> $$xxkey = $xxvalue;
> }
> }
> ?>
>
> (Note: 'xx' is added to the var name to try and keep the var names
> unique, otherwise, if you have passed a GET variable with the same name
> ($key or $value), it would be overwritten by the next iteration of the
> foreach.)
>
> This should get you working, but then I advise you to go back and add
> some real injection prevention functions at the beginning of routines
> that need them.
>
This looks to me like a clumsy way of emulating 'extract($_GET)', as
suggested by Rik. Are you claiming some advantage to doing it this way?
Colin
[Back to original message]
|