CODEWITHSUNDEEP
phppostbase64
uk4321
uk4321

Reputation: 1078

Restrictions on characters in POST variable names

I was recently surprised to learn that PHP will automagically and unpreventably turn all periods to underscores in the names of POST fields, because periods are not allowed in variable names in PHP.

I have POST data that is keyed with names that have arbitrary data in them, and I was thinking about Base64 encoding the POST names to avoid the period problem. However, the Base64 alphabet includes the characters +, / and =. These letters are also not allowed in variable names, but are these alright for POST names? What will PHP do with them?

Upvotes: 4

Views: 1812

Answers (2)

chiliNUT
chiliNUT

Reputation: 19573

The following characters not allowed in variable names:

chr(32) ( ) (space)
chr(46) (.) (dot)
chr(91) ([) (open square bracket)
chr(128) - chr(159) (various)

(Cite: Get PHP to stop replacing '.' characters in $_GET or $_POST arrays?)

For the other guys, +, /, and = are fine for $_POST, and for variable names.

First, if you are sure all the underscores in $_POST should be periods (which may or may not be a fair assumption, but...)

<form name=test>
<input type=text name="+./=" value='hello'>
<input type=submit>

<?php
foreach ($_POST as $key=>$postVar)
{
$newKey=str_replace("_",".",$key);
$newPost[$newKey]=$postVar;
}
$_POST=$newPost;
echo $_POST['+./=']; //hello

and in variable names, you can use Variable variables

${'var+./='}=1;
echo ++${'var+./='}; //2
?>

Upvotes: 4

Duniyadnd
Duniyadnd

Reputation: 4043

From their website:

Variable names follow the same rules as other labels in PHP. A valid variable name starts with a letter or underscore, followed by any number of letters, numbers, or underscores. As a regular expression, it would be expressed thus: 

'^[a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*'

which includes a correction a user made in the comments on that same page.

Starts with a letter [a-z], or underscore, or anything between \x7f to \xff.

This can be followed by anything listed above as well as digits.

Without testing, and with errors turned off, my assumption is that PHP will replace any character that shouldn't be there with an underscore. Hope that helps.

Upvotes: 2

Related Questions