Home/ Questions/Q 7001335
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-27T20:47:24+00:00

Scenario : My PHP script requires 10 POST strings to work. The value of

  • 0

Scenario: My PHP script requires 10 POST strings to work. The value of all of them needs to be escaped with htmlspecialchars(). So the first lines of the script look like this:

$var1 = htmlspecialchars($_POST['var1']);
$var2 = htmlspecialchars($_POST['var2']);
// And more. You get the point.

This is some code that could simplify it:

foreach($_POST as $key => $value){
    $$key = htmlspecialchars($_POST[$value]);
}

I’m unsure about the $$ with user input. I guess somebody could send many POST requests I don’t need and block the server with that. Is this realistic?

The foreach code would be at the very top of my script. So it won’t be able to overwrite any other variables.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Rather than just blindly handling everything in $_POST (although just passing them through htmlspecialchars() is pretty harmless), you can use a whitelist of keys that are acceptable:

    // An array of $_POST keys that are acceptable
$whitelist = array('var1','var2','var3');

foreach($_POST as $key => $value) {
   // Only handle $_POST keys you expect to receive...
   if (in_array($key, $whitelist)) {
      $$key = htmlspecialchars($_POST[$value]);
    }
}

    This evades the possibility of a malicious user submitting hundreds of values to POST and consuming extra system resources.

    Update

    Commenters are correct. It is better to iterate through the whitelist than $_POST:

    // Iterate over $whitelist and check for corresponding keys in $_POST
$missing_keys = array();
foreach($whitelist as $key) {
   if (isset($_POST[$key])) {
     $$key = htmlspecialchars($_POST[$key]);
   }
   else $missing_keys[] = $key;
}
echo "Missing keys: " . implode(",", $missing_keys);
    • 0