The code creates variables from data in the $_POST
array. The names of the variables are taken from the keys of the $_POST
array. PHP calls this (i.e. naming variables dynamically) variable variables.
This is usually a bad idea, because you do not control, which keys are present in the $_POST
array, and thus, which variables are created. The user of your website controls this. A malicious user might name the POST variables in such a way that they overwrite variables that you intended for different purposes.
The book suggests to allow keys in the $_POST
array to overwrite variables in a controlled manner. That's what $expected = array('carModel', 'year', 'bodyStyle')
is for. This and the following code only creates the variables $carModel
, $year
and $bodyStyle
. If, for example, a user posts current_user_has_admin_rights=1
to you application, a variable $current_user_has_admin_rights
with a value of 1 will not be created.
My suggestion is to to stay away from variable variables alltogether and instead access the POST values through the $_POST
array only. This makes it clear where the value comes from, an thus makes it easier to spot if such a value is handled in an unsecure manner.