ansaurus

Question

Letting a new PHP page know a new POST value is an Array?

Answer 1

+2 A:

If print on your array just outputs "Array", then I suspect that's how it's getting written to the hidden field. Try viewing source and see how that actually gets rendered to the browser. If it is, then you'll need some method of serializing and deserializing the array.

Yuliy 2010-03-24 16:36:42

Answer 2

+3 A:

Use serialize() and base64_encode():

print '<input type="hidden" name="price_list" value="' . base64_encode(serialize($item_list)) . '">'

and unserialize() and base64_decode():

//Code on the second page for the foreach loop

$price_list = unserialize(base64_decode($_POST['price_list']));
foreach($price_list as $name=>$price) {
...
}

serialize() converts your array to a string. base64_encode() encodes this string to make it safe for transmission via HTTP. Maybe it works without it but better to be on the safe side. In addition, your array gets a little obfuscated.

Update:

Actually I just noticed that serializing an array containing strings e.g. array('foo', 'bar') results in a:2:{i:0;s:3:"foo";i:1;s:3:"bar";}.
In order to insert this correctly in to 'value="' . serialized_value . '"' you have to encode it, otherwise the result will be messed with the double quotes ":

value="a:2:{i:0;s:3:"foo";i:1;s:3:"bar";}"

Update 2: Tom made a good point regarding security. You cannot make sure that $_POST['price_list'] contains the values you provided. They could be tampered by an attacker.
To make sure, that the data is valid, you can prepend some kind of secret key:

$secret_key = base64_encode('secret');

$value = $secret_key . base64_encode(serialize($item_list))

and later:

$value = $_POST['price_list'];
if(!substr($value,0,strlen($secret_key)) === $secret_key) {
    echo "Attempted attack!!";
    exit();
}
$price_list = unserialize(base64_decode(substr($value, strlen($secret_key)));
foreach($price_list as $name=>$price) {
...
}

Of course this can be improved further but should give the right idea.

Felix Kling 2010-03-24 16:40:38

These comments have helped me understand the problem going on (i.e. The Array is being written just as a String of "Array"). I have attempted to serialize and then unserialize the value, but I am given the following error:"Notice: unserialize() [function.unserialize]: Error at offset 0 of 3 bytes in /home/cut/mg299/public_html/PHP/invoice.php on line 16"What would cause this?

Wintermute 2010-03-24 16:48:27

I'd be wary of unserializing() user submitted data. a malicious user would then be able to instantiate arbitrary objects on the server, which could potentially cause you a problem, even though unlikely.

Tom Haigh 2010-03-24 16:51:06

@Wintermute: What does your array contain?

Felix Kling 2010-03-24 16:54:21

Associative Array, Strings as the Keys and Integers as the Values.

Wintermute 2010-03-24 16:56:11

e.g. in this case, if you had a class which implemented `iterator` and you were directly printing out `$price`, I could maliciously construct an instance of that by sending the right string to be unserialised, then i might get to see the results of that iterator

Tom Haigh 2010-03-24 16:57:13

@Tom Haigh: Good point updated my answer.

Felix Kling 2010-03-24 17:03:49

@Wintermute: It should work...Do you do bas64 encoding? You have to do this if you enclose the value in `""`.

Felix Kling 2010-03-24 17:16:56

Prepending a secret key is not sufficient. At this point you should also encrypt with a key only your app knows. That way, the attacker could not inject anything without you being able to detect an error.

Yuliy 2010-03-25 15:38:42

Answer 3

+1 A:

'

you might try:

foreach ($item_list as $item)
{
    $value = base64_encode($item);
    echo "<input type='hidden' name='price_list[]' value='$value'>";
}

dar7yl 2010-03-24 16:54:41

ansaurus

tags:

views:

answers:

Letting a new PHP page know a new POST value is an Array?

related questions