Yamiko
Reputation: 5453
Using a foreach loop to get create variables from $_POST security issues?
In the past I have used the following to create variables from a posted form.
foreach($_POST as $k=>$v)
{
$$k = $v;
}
What are the security risks associates with using this method?
im trying some test atm. how about this version where it removes anything that is not a letter or number before making the variable?
foreach($_POST as $k=>$v)
{
$k = preg_replace("/[^[:alnum:]]/","",$k);
$$k=$v;
}
Upvotes: 2
Views: 384
Answers (1)
johannes
Reputation: 15979
An attacker can inject a POST variable called _SESSION and by that write data in your session so you can't trust your session anymore.
Upvotes: 8
Related Questions
- php $POST dynamic variable names security concerns
- PHP - Could automatically processing every $_POST variable be a security issue?
- PHP: Abusing POST and GET
- Potential security issues with variable variables
- PHP variables safe within a POST
- How to access $_POST variables with unknown keys in a safe way?
- foreach $_POST.. is this bad?
- Code injection vulnerability by echo-ing $_POST vars?
- Processing $_POST[] and $_GET[] variables
- How could I make this PHP $_POST more secure? -Or is it secure already?