Going through a php class file at work I found an interesting snippet. The script is dynamically creating a variable, dynamically checking if there is an active $_GET[''] for the variable it's creating and if there is it's loading the $_GET data and if it's not it's writing N/A to the variable that it's dynamically creating. The script then continues on to a switch function with the same logic for it's case breaks.
1.) Is this safe?
2.) Can it be attacked?
3.) Is there an easier way to do this?
4.) Why would you do this?
$switch_types = array("id","type","page");
foreach ($switch_types as $key => $value) {
$$value = $value;
if(isset($_GET[$$value])){
$$value = $_GET[$$value];
}
else{
$$value = "N/A";
}
}
This is basically just a long-winded way to write:
It's perfectly safe because the list of variables to assign is specified in the program, it doesn't come dynamically from the client.
There's some unnecessary code in his loop --
$$value = $value
is not needed. It can be simplified to:or: