-5

Possible Duplicate:
Is using $GLOBALS['HTTP_GET_VARS'] deprecated?
Invalid arguements in php

I get the following response when I run script in a WAMP environment:

Warning: Invalid argument supplied for foreach() in C:\wamp\www\GeCard\eCardScript_ecards\ecard_lib.php on line 17

Warning: Invalid argument supplied for foreach() in C:\wamp\www\GeCard\eCardScript_ecards\ecard_lib.php on line 21

This is my code:

function getPostGetVars() {
    global $HTTP_POST_VARS,$HTTP_GET_VARS;

    foreach ($HTTP_POST_VARS as $key => $value) {  //This is line 17
        global $$key;
        $$key = $value;
    }

    foreach ($HTTP_GET_VARS as $key => $value) {   //This is line 21
        global $$key;
        $$key = $value;
    }
}

I am told that this code is deprecated. Can this piece of code be easily updated to eliminate the warnings?

Community
  • 1
  • 1
Webiter
  • 119
  • 1
  • 10
  • 5
    The answers you got when [you were told that explained how](http://stackoverflow.com/questions/8561822/invalid-arguements-in-php) – Quentin Dec 20 '11 at 17:54
  • Sorry, was not getting it and research was not helping, hense the reframed question. Item now resolved and script working. – Webiter Dec 20 '11 at 19:18

4 Answers4

1

This code basically does what register_globals = on does, just in a worse way (GET having priority over POST). You should completely remove this code and update the script to use the appropriate variable $_POST['field'] or $_GET['field'] to access POST/GET data instead of just using $field.

The reason why the code stopped working is that $HTTP_*_VARS were replaced with the $_* superglobals, so to fix it remove global $HTTP_POST_VARS,$HTTP_GET_VARS; and replace $HTTP_POST_VARS with $_POST (likewise for $HTTP_GET_VARS).

However, you can also fix it by completely removing the function and replacing the call to it with extract($_REQUEST); (assuming the function is always called in the global scope and not inside a function).

ThiefMaster
  • 310,957
  • 84
  • 592
  • 636
0

Try this:

function getPostGetVars() {
  global $_POST,$_GET;
  foreach ($_POST as $key => $value) {  //This is line 17
    global $$key;
    $$key = $value;
  }
  foreach ($_GET as $key => $value) {   //This is line 21
    global $$key;
    $$key = $value;
  }
}
Niels
  • 48,601
  • 4
  • 62
  • 81
0

Use $_POST and $_GET instead of $HTTP_POST_VARS and $HTTP_GET_VARS respectively.

function getPostGetVars() {
  foreach ($_POST as $key => $value) {  //This is line 17
    global $$key;
    $$key = $value;
  }
  foreach ($_GET as $key => $value) {   //This is line 21
    global $$key;
    $$key = $value;
  }
}

If you check the manual pages for $_POST and $_GET, you'll see that their more verbose counterparts have been deprecated.

I can't help but notice what you are trying to do with this code essentially mirrors the function of extract(). I would caution you from doing this because an attacker could rewrite essential variables (say $isLoggedIn) with a request and exploit the server. If you continue to do something like this I suggest using extract() with a flag such as EXTR_PREFIX_ALL so that there are no collisions. You can prefix the get variables with get_ and the post variable with post_, for example.

However, unless you truly know what you're doing, using extract like this (or your method) is extremely dangerous in a production environment. I would advise against it completely and instead use the proper super globals to access the $_GET and $_POST variables.

See this post by Marc B on this vulnerability for more.

Community
  • 1
  • 1
Bailey Parker
  • 15,599
  • 5
  • 53
  • 91
0

Yes, use $_POST['variable_name'] instead of global $HTTP_POST_VARS and $_GET['variable name'] for $HTTP_GET_VARS

dmarges
  • 361
  • 2
  • 7