当前位置: 文江博客 话题详情

如何在自定义函数中使用 extract() 从用户提供的数组数据生成全局范围的值?

发布于 2024-07-24 05:28:56 字数 583 浏览 3 评论 0 原文

我想修改这个函数以摆脱使用全局变量。

function CatchListing() {
    $parseform = array('itemnum','msrp','edprice','itemtype','box','box2','box25','box3','box4','box5','box6','box7','itemcolor','link'); 
    foreach ($parseform as $globalName) {
        $GLOBALS[$globalName] = mysql_real_escape_string($_POST[$globalName]);
    }
}

我被告知使用 array_map & 然后提取,但我不确定如何构建它。

function CatchListing() {
    $_POST['listing'] = array_map('mysql_real_escape_string', $_POST);
    $nst = extract($_POST['listing']);
}

(顺便说一句,列表是表单名称)

原文

I want to revamp this function to get rid of using globals.

function CatchListing() {
    $parseform = array('itemnum','msrp','edprice','itemtype','box','box2','box25','box3','box4','box5','box6','box7','itemcolor','link'); 
    foreach ($parseform as $globalName) {
        $GLOBALS[$globalName] = mysql_real_escape_string($_POST[$globalName]);
    }
}

I was told to use array_map & then extact, but I am not sure of how to structure this.

function CatchListing() {
    $_POST['listing'] = array_map('mysql_real_escape_string', $_POST);
    $nst = extract($_POST['listing']);
}

(listing is the form name btw)

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

遮云壑 2024-07-31 05:28:56

使用带有外部输入值(例如 $_GET 和 $_POST)的提取时要非常小心。

您最好手动将值提取为已知值。

从 _GET 或 _POST 中提取内容很容易破坏现有变量。

Be VERY careful about using extract with externally inputted values as from $_GET and $_POST.

you're much better off extracting the values manually to known values.

It's far too easy for an extract from _GET or _POST to clobber existing variables.

回复 原文
老娘不死你永远是小三 2024-07-31 05:28:56

有很多话要说,乔纳森有了一个很好的开始。 每当用户有机会使用您的内部数据而您没有检查它们时,就有很大的“机会”(取决于视图..)出现问题。 这是关于如何“也许”到达您想去的地方的另一种方法:

<?php

function Sanitize($string){
  return mysql_real_escape_string(trim($string));
}

function CatchListing(){  
  foreach($_POST as $key => $value) {
    $key = Sanitize($key);
    $value = Sanitize($value);
    if($key && $value && !$GLOBALS[$key]){ /* prevent overwriting existing globals*/
      $GLOBALS[$key] = $value;
    }
  }
}

global $nice;
$nice = "working";

CatchListing();    

print_r($GLOBALS);

?>

说实话,它仍然与 OOP 而且应该被视为一种过程方法。 就我个人而言,我会使用额外的可重用函数来“清理”输入,因为你永远不知道,是否有一天你想要更改数据库或“转义”函数,然后你确切地知道在哪里寻找可能的更改。 还有一件事:您确定您不知道您必须期望的所有变量的所有可能名称吗? 也许您可以预先确定它们并将它们放入另一个数组中,并使用 in_array 检查每个用户提供的参数。

There are so many things to say and Jonathan makes a very good start. Every time the user has the opportunity to play with your internal data and you don't check them, there is a huge "opportunity" (depends on the view..) that something goes wrong. Here is another approach on how to "maybe" get where you want to go:

<?php

function Sanitize($string){
  return mysql_real_escape_string(trim($string));
}

function CatchListing(){  
  foreach($_POST as $key => $value) {
    $key = Sanitize($key);
    $value = Sanitize($value);
    if($key && $value && !$GLOBALS[$key]){ /* prevent overwriting existing globals*/
      $GLOBALS[$key] = $value;
    }
  }
}

global $nice;
$nice = "working";

CatchListing();    

print_r($GLOBALS);

?>

To be honest, it still has not really anything to do with OOP and furthermore should be seen as a procedural approach. Personally I would use an additional and reusable function to "sanitize" the input, because you never know, if someday you want to change your database or the "escape" function and then you exactly know where to look for possible changes. Ah one more thing: Are you certain that you don't know all the possible names of all the variables you have to expect? Maybe you can predetermine them and put them in another array and check each user supplied argument with in_array.

回复 原文
旧话新听 2024-07-31 05:28:56

要完全摆脱代码中全局变量的使用,并使其整体更好,您可以按照以下方式执行操作:

  • 停止使用 $_POST,因为它是超全局变量。 当代码需要来自超全局变量的值时,将它们作为参数传递,
  • 而不是将值存储到 $GLOBALS 中。 如果您需要返回多个值,请考虑返回一个对象或数组

以下是我认为我将如何修改您的代码以改进它:

function CatchListings($listings) {    
    $filteredListings = array_map('mysql_real_escape_string', $listings);

    //I assume you only need the values in the array in the original snippet,
    //so we need to grab them from the parameter array and return only that
    $requiredListings = array();
    $requiredKeys = array('itemnum','msrp','edprice','itemtype','box','box2','box25','box3','box4','box5','box6','box7','itemcolor','link');
    foreach($requiredKeys as $key) {
        $requiredListings[$key] = $filteredListings[$key];
    }

    return $requiredListings;
}

要使用此函数,您只需执行 $result = CatchListings($_POST); 。 结果相同,未使用全局变量。

不过,有一点需要考虑。 仅将随机填充的数组(即 $_POST)传递给函数并期望它包含特定的键(即 $requiredKeys 数组)可能不是最好的形式。 您可能想要添加逻辑来检查丢失的键,或者在传递后数组之前对其进行处理。

To completely get rid of the usage of globals in your code, and also to make it much better overall, you can do something along these lines:

  • stop using $_POST, as it's a superglobal. When code needs values from superglobals, pass them as parameters
  • don't store values into $GLOBALS. If you need to return more than one value, consider returning an object or an array

Here's how I think I would modify your code to improve it:

function CatchListings($listings) {    
    $filteredListings = array_map('mysql_real_escape_string', $listings);

    //I assume you only need the values in the array in the original snippet,
    //so we need to grab them from the parameter array and return only that
    $requiredListings = array();
    $requiredKeys = array('itemnum','msrp','edprice','itemtype','box','box2','box25','box3','box4','box5','box6','box7','itemcolor','link');
    foreach($requiredKeys as $key) {
        $requiredListings[$key] = $filteredListings[$key];
    }

    return $requiredListings;
}

To use this function, you simply do $result = CatchListings($_POST);. Same result, no globals used.

There is one thing to consider, though. It may not be best possible form to just pass a randomly filled array (ie. $_POST) to the function, and expect it to contain specific keys (ie. $requiredKeys array). You might want to either add logic to check for missing keys, or process the post array before passing it.

回复 原文
~没有更多了~

关于作者

┈┾☆殇

暂无简介

0 文章
0 评论
21 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

留蓝

文章 0 评论 0

18790681156

文章 0 评论 0

zach7772

文章 0 评论 0

Wini

文章 0 评论 0

ayeshaaroy

文章 0 评论 0

初雪

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文