Hmmmm .... it makes sense to me.
Ideally, I would prefer to emulate Perl's taint checking and not only limit the names of variables that can be imported, but also test that the values are "safe" for whatever the variables are being used for. But your approach is better than blindly importing all variables.
One suggestion that's not really security-related. Replace the body of the loop with:
code:
if (isset($_POST[$var])) {
$cgivars[$var] = $_POST[$var];
} elseif (isset($_GET[$var])) {
$cgivars[$var] = $_GET[$var];
}
That will allow the code to work without warnings if you happen to set the error reporting level higher, e.g., error_reporting(E_ALL), and will also allow you to distinguish between unset variables and zero/empty-string variables.
