Re: accessing $_GET implicitly

"David Cartwright" <dscartwright@xxxxxxxxxxx> wrote in ...
: "|-|erc" <h@xxx> wrote in message
: > OK, here's the start of the index file I'm working on and its used for
: > every page like so
: > index.php?action=register
: > index.php?action=logout
: > etc.
: > if ($action != "do_login")
: > {
: > $user = $_COOKIE['user'];
: > $pass = $_COOKIE['pass'];
: > if (verifyuser('', $pass,$user) == TRUE)
: > Nowhere in config or functions is $action defined, so how can this work?
:
: There is a PHP configuration directive (i.e. something you put in the config
: file) "register_globals" which allows any or all entities from forms (GET
: and POST), cookies, server internals and the local environment to appear to
: scripts just as if they're day-to-day script variables. As of PHP 4.2.0 this
: defaults to "off", though clearly you can turn it on if you so desire.
:
: I don't personally like implicit variable definitions like this, because
: variables can trample over one another and cause confusion (or even security
: problems) when what you thought was a local variable turns out to be a field
: from a form, or vice versa. The developers of PHP clearly don't like it
: either, as they've taken the conscious decision to turn it off.
:
: For a developer, a nicer way to go is the import_request_variables()
: function, which you can drop into your scripts to register form variables
: yourself. import_request_variables() allows you to prefix the variable names
: with a text string to allow you to distinguish them from other variables -
: so, for instance, everything I write has a import_request_variables() call
: that makes all my form variables appear as $form_blah, thus guaranteeing I'm
: not going to trample over local stuff by mistake.
:

great thanks, I just used import_request_variables("gpc"); and all the pages work now.
GET and POST are so simple to use anyway so I'll stick with them atleast for my own code.

Herc



.

Relevant Pages

  • Re: accessing $_GET implicitly
    ... here's the start of the index file I'm working on and its used for ... There is a PHP configuration directive (i.e. something you put in the config ... scripts just as if they're day-to-day script variables. ... that makes all my form variables appear as $form_blah, ...
    (comp.lang.php)
  • Re: Executed only once and used across all pages
    ... once, but every php script ... which needs that config seems to execute that once to get configuration ... the scripts were large and performance was on your mind, ...
    (comp.lang.php)
  • Re: Executed only once and used across all pages
    ... once, but every php script ... which needs that config seems to execute that once to get configuration ... the scripts were large and performance was on your mind, ...
    (comp.lang.php)
  • Re: Web Server Botnets and Server Farms as Attack Platforms
    ... insecure web application written in PHP, although attacks for other ... The main reason for this is that many different PHP applications are ... and you've found your way to execute shell code on the remote web server. ... those scripts were put in place. ...
    (Bugtraq)
  • Re: [Full-disclosure] Web Server Botnets and Server Farms as Attack Platforms
    ... insecure web application written in PHP, although attacks for other ... The main reason for this is that many different PHP applications are ... and you've found your way to execute shell code on the remote web server. ... those scripts were put in place. ...
    (Full-Disclosure)