variable variables within $_POST and associative arrays

Question

I'm probably being a little thick, but I can't seem to find an answer to this one. I'm moving from a server with register globals ON to one with it being off. It's a good thing, but unfortunately I have been used to years and years working with register globals being ON which has resulted in me writing sloppy code. I am now trying to fix that.

I'm trying to rewrite some old code which has variable variables within $_POST.

I know this is a silly example, but it illustrates the problem I am trying to solve. The following would work with register globals ON:

<?php $variable = "fullname";?>
<form action="/test/" method="post">
<label for="fullname">Full Name:</label> <input name="fullname" type="text" value="<?php echo $$variable;?>" size="20" maxlength="150" />
<input name="submit" type="submit" value="Go!" />
</form>

How do I make this work with register globals off? The following obviously doesn't work:

<?php $variable = "fullname";?>
<form action="/test/" method="post">
<label for="fullname">Full Name:</label> <input name="fullname" type="text" value="<?php echo $_POST[$$variable];?>" size="20" maxlength="150" />
<input name="submit" type="submit" value="Go!" />
</form>

Please go easy on me- I know I am probably being stupid, but I can't seem to get my head round this.

Answer 1

Simple, just $_POST[$variable]. (Or $_GET or maybe $_REQUEST, as appropriate.)

However note that when you output text to HTML, you must encode it, or you will be vulnerable to cross-site-scripting attacks:

<input type="text"
    name="<?php echo htmlspecialchars($variable);?>"
    value="<?php echo htmlspecialchars($_POST[$variable]);?>" 
    size="20" maxlength="150"
/>

(I typically define a function called h that does echo htmlspecialchars, to cut down on this excessive amount of typing.)

Answer 2

I have some form interactions similar to yours but I can;t understand why you are using $_POST within a form. What you should have is this:

<?php $variable = $_POST["fullname"];?>
<form action="/test/" method="post">
<label for="fullname">Full Name:</label> <input name="fullname" type="text" value="<?php echo $variable; ?>" size="20" maxlength="150" /> 
<input name="submit" type="submit" value="Go!" />
</form>

Answer 3

$_POST is an array, won't it just be.

$_POST[$variable]

Answer 4

you can get rid of the whole $$ craziness and simply do $_POST[$variable].

Answer 5

You sure you meant $_POST[$$variable] as opposed to $_POST[$variable]

Answer 6

Using variable variables directly from $_SUPER globals is a BAD idea and a security risk, especially if any of your code is open source. One could modify the input to poke around and find out the value of any variable you let through. For example, they could pass in '$_ENV' which would get them a dump of your environment variables. In fact, register globals is a bad idea anyways.

This is referred to in @bobince's answer.

And, with regard to your question, that is why your example doesn't work with PHP's register globals turned off. PHP is stricter (for good reason) with register global's off, afaik, it's harder to do the variable variable trick.