In the past I have used the follo开发者_如何转开发wing to create variables from a posted form.
foreach($_POST as $k=>$v)
{
$$k = $v;
}
What are the security risks associates with using this method?
im trying some test atm. how about this version where it removes anything that is not a letter or number before making the variable?
foreach($_POST as $k=>$v)
{
$k = preg_replace("/[^[:alnum:]]/","",$k);
$$k=$v;
}
An attacker can inject a POST variable called _SESSION
and by that write data in your session so you can't trust your session anymore.
精彩评论