Best way to declare varibles from a submit form

Question

What is the best way to define variables from a submitted form instead of having:

$username = $_POST['username'];
$email = $_POST['email'];
$firstname = $_POST['firstname'];
$lastname = $_POST['lastname'];
etc

because it will end up with too many lines of code.

Answer 1

You answered yourself already: the one you mentioned is the best way to declare form variables within pure PHP world.

You can write as many abstractions you want on top of it but you got the point, if you submit with a post you need to pass through the snapshot you just posted...

The Recommendation

People recommended here the usage of extract(). Please, don't. As you can read from the php documentation:

Do not use extract() on untrusted data, like user input (i.e. $_GET, $_FILES, etc.). If you do, for example if you want to run old code that relies on register_globals temporarily, make sure you use one of the non-overwriting extract_type values such as EXTR_SKIP and be aware that you should extract in the same order that's defined in variables_order within the php.ini.

The recommended practice is to use $_POST[<varname>] directly. This way users of your web application can't set variables that should be safe.

The common pattern is something like the following:

<?php
   if(isset($_POST['submit']) 
   {
      echo("First name: " . htmlentities($_POST['firstname']) . "<br />\n");
      echo("Last name:  " . htmlentities($_POST['lastname'])  . "<br />\n");
   }
?>
<form action="myform.php" method="post">
   <p>First name: <input type="text" name="firstname" /></p>
   <p>Last name: <input type="text" name="firstname" /></p>
   <input type="submit" name="submit" value="Submit" />
</form>

Answer 2

Use extract($_POST) function

it will convert array keys to variables, after that you can directly use as $username, $email, $firstname and $lastname etc.

It extract() function will do variable assigning work.

Answer 3

You can use extract method but remember read warning related to it to know before what you are dealing with here

one of them is

Warning: Do not use extract() on untrusted data, like user input (i.e. $_GET, $_FILES, etc.). If you do, for example if you want to run old code that relies on register_globals temporarily, make sure you use one of the non-overwriting flags values such as EXTR_SKIP and be aware that you should extract in the same order that's defined in variables_order within the php.ini.

Remember to always perform validation on input data from user or service client to avoid injections. Read more about it here

Answer 4

As others have written you can use extract($_POST) but beware the security implications.

Also, you can optionally define how extract handles existing variables with the same name, or even tell it to prepend a string to the variables.

Assuming you POSTED the following data:

$_POST['id'] => 3, 
$_POST['description'] => "ford pinto"
$_POST['color'] => "mustard yellow"

extract($_POST, EXTR_PREFIX_ALL, 'fd1_');

Would yield the following variables:

$fd1_id
$fd1_description
$fd1_color

Check the documentation for more information on extract options.

Answer 5

Ok, after my previous answer got downvoted because of security issues, I will make another attempt.

In one file, say inputs_definitions.php, define, which fields are you expecting:

<?php
$inputsDefinitions = [
  'name' => ['type' => 'text', 'placeholder' => 'Your name'],
  ...
];

Then include this file in your view and generate a dynamic form:

<?php
include("inputs_definitions.php");
for ($inputsDefinitions as $field => $properties) {
  echo '<input type="' . $properties['type'] . '" placeholder="' . $properties['placeholder'] . '" name="' . $field . '" />';
}
?>

In the code, where you process your data, include this file again and do the following:

<?php
include("inputs_definitions.php");
for ($inputsDefinitions as $field => $properties) {
   $$field = $_POST[$field]; 
}
...
?>

Answer 6

There is no silver bullet, it all depends on the usecase.

In some cases you might just use $_POST['foo'] directly, but most of the time, you need to check that the data has been set before trying to use it, also be sure not to directly output it without proper santization. This why the answers that say; just use it directly might imply somehow that the variable is always set and is used in nondangerous context, which in most cases in not the case...

Most of the times you want to do stuff with the data you are retrieving. In such case it is important that you do not directly modify $_POST['foo'] as you should not modify global data but instead incapsulate it.

Sometimes it might be nice to do, what you asked; to avoid: as you would have a place where you transfer all the values you get from the request to specific variable names. This makes it all easier to refactor, if you decide to change the clientside markup. Often you might need to check if the value was even passed before trying to directly use it or assign it.

This might also be a good time to look forward to php7 and https://wiki.php.net/rfc/isset_ternary

Just remember, the more data you send, the code you have to write to properly manage it. And what you are asking not to do, might just be exactly what you want to do... or maybe something like

$foo = isset($_POST['foo']) ? $_POST['foo'] : null;

And I am sure you can easily imaging putting something similar into a function.. What you are looking for in this context, is not less lines of code, but more.

Answer 7

I don't recommend it, but to have the solution You want, You need to use filter_input() and maybe an array:

$aArray = array_keys($_POST);

foreach($aArray as $sField) {
    ${$sField}= filter_input(INPUT_POST, $sField);
    // and You can make some extra filtering here
    // for example: filter it by previously prepared array of acceptable field keys
}

But, if You just want less secure solution, use extract() function.

Answer 8

I think this will do the trick:

extract($_POST);

(Ref) Simple and effective.