declare form variables and arrays

Question

I'm trying to declare variables and arrays from a form (post) but it seems the arrays are not being processed:

// is this a better practise than directly pass the entire $_POST?
$list = array('use', 'type', 'status', 'bhk', 'baths', 'size', 'location', 'price', 'description');
foreach($list as $name) {
    if ($name != 'description')
        $var = "\$" . $name . "=filter_input(INPUT_POST, '" . $name . "', FILTER_SANITIZE_NUMBER_INT);";
    else if ($name == 'description')
        $var = "\$" . $name . "=filter_input(INPUT_POST, '" . $name . "', FILTER_SANITIZE_STRING);";
}

$area_1 = $size['area1'] != '' ? $size['area1'] : 0;
$area_2 = $size['area2'] != '' ? $size['area2'] : 0;
$city   = $location['city'];
$zone   = $location['zone'];
$sale   = $price['sale'] != '' ? $price['sale'] : 0;
$rent   = $price['rent'] != '' ? $price['rent'] : 0;

Could be that some of those inputs are long numbers? Like $price['sale'] (up to 999999) or $size['area1'] (up to 999). Since they don't need any unit type I prefer storing them as integers rather than strings. But tell me if the length is a problem.

EDIT: (FIX by @swidmann in comments)

$$name = filter_input(INPUT_POST, $name, FILTER_SANITIZE_NUMBER_INT);

Solution: (by @swidmann in comments)

$$name = filter_input(INPUT_POST, $name, FILTER_DEFAULT , FILTER_REQUIRE_ARRAY)

Using `eval` is nearly always a bad idea. Using `eval` on user input, in an attempt to increase security, is a bloody terrible idea! — Steve, Nov 13 '15 at 12:06
I'm using `eval` to make the variables, I thought it didn't affect the user input. What is the alternative? — Chazy Chaz, Nov 13 '15 at 12:08
`POST description= "a', FILTER_SANITIZE_STRING); unlink(__FILE__);"` Bad things happen — Steve, Nov 13 '15 at 12:08
What are you actually tring to do? Im sure there is a simple, secure way to do it, if only i could work out your intentions — Steve, Nov 13 '15 at 12:10
Just declare the variables from a form to store them in a db. — Chazy Chaz, Nov 13 '15 at 12:11
you can make variables like this `$$name = filter_input( INPUT_POST , $name, FILTER_SANITIZE_NUMBER_INT );` with `$$name` you can define a variable with the name of the string content `$name` — swidmann, Nov 13 '15 at 12:11
This sounds and reads like a bad idea from front to back -- *Why* are you generating variables based on user-input? -- you already have the names and data in the `$_POST` or `$_GET` arrays -- there is no need to do what you do -- I strongly suspect an XY-Problem — Tom Regner, Nov 13 '15 at 12:15
Sorry, the variable names are not based on user-input. They are based on the names from my array. — Chazy Chaz, Nov 13 '15 at 12:17
There's still a problem, the arrays are always 0. And I made sure to fill the inputs. What is the problem? — Chazy Chaz, Nov 13 '15 at 12:25
i think you need an additional filter, **if the input is an array**: FILTER_REQUIRE_ARRAY => http://php.net/manual/en/function.filter-input.php — swidmann, Nov 13 '15 at 12:27
Right, there's another filter for arrays... Thanks @swidmann! — Chazy Chaz, Nov 13 '15 at 12:30

score 1 · Accepted Answer · edited May 23 '17 at 12:03

To create variables from your array you should use $$ instead of concatenating a string an run eval(), because eval() is evil.

You can make variables like this:

$$name = filter_input( INPUT_POST , $name, FILTER_SANITIZE_NUMBER_INT ); with $$name you can define a variable with the name of the string content $name

If your input can be an array, please take a look at filter_input_array() or filter_input() with the option FILTER_REQUIRE_ARRAY, depends on what you need.

Here is an approach:

// is this a better practise than directly pass the entire $_POST?
$list = array( 'use', 'type', 'status', 'bhk', 'baths', 'size', 'location', 'price', 'description' );
foreach ( $list as $name ) {
    if ( $name != 'description' ) {
        if( is_array( $_POST[$name] ) ) {
            // I think you should also check for other types if needed (i.e. string)
            $$name = filter_input( INPUT_POST , $name, FILTER_SANITIZE_NUMBER_INT , FILTER_REQUIRE_ARRAY );
        } else {
            $$name = filter_input( INPUT_POST , $name, FILTER_SANITIZE_NUMBER_INT  );
        }
    } else if ( $name == 'description' ) {
        $$name = filter_input( INPUT_POST , $name, FILTER_SANITIZE_STRING );
    }
}

$area_1 = $size['area1'] != '' ? $size['area1'] : 0;
$area_2 = $size['area2'] != '' ? $size['area2'] : 0;
$city = $location['city'];
$zone = $location['zone'];
$sale = $price['sale'] != '' ? $price['sale'] : 0;
$rent = $price['rent'] != '' ? $price['rent'] : 0;

if you are not sure about the input, you can try the option FILTER_DEFAULT:

$$name = filter_input(INPUT_POST, $name, FILTER_DEFAULT , FILTER_REQUIRE_ARRAY)

declare form variables and arrays

1 Answers1