By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
455,643 Members | 1,797 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 455,643 IT Pros & Developers. It's quick & easy.

global vars on/off

P: n/a
Hi all!

I was trying to understand this...
http://www.php.net/manual/en/languag...s.external.php

I wonder what teh community has to say about this...

I need to get some vars something.php?var=blabla... I can get the
$var, but also $_request["var"].
And there is also the file_get_contents('php://input'), but then I
have to do some more.

What do people have to say about this?

S

Feb 7 '07 #1
Share this Question
Share on Google+
11 Replies


P: n/a
Hi S

Sonnich wrote:
I was trying to understand this...
http://www.php.net/manual/en/languag...s.external.php
I wonder what teh community has to say about this...
I need to get some vars something.php?var=blabla... I can get the
$var, but also $_request["var"].
And there is also the file_get_contents('php://input'), but then I
have to do some more.
What do people have to say about this?
Get it by using $_GET['var'] and proof the content with is* functions.

HTH, Johannes
Feb 7 '07 #2

P: n/a

"Sonnich" <so************@elektrobit.comwrote:
I need to get some vars something.php?var=blabla... I can get the
$var, but also $_request["var"].
Do you have
register_globals = on
in php.ini?

That's "dangerous". I mean something that is at least considered dangerous.
If you put register_globals = off, and use $_request, $_get, $_post and
$_cookie, you'll surely know where your variables come from.

Feb 7 '07 #3

P: n/a
Sonnich wrote:
Hi all!

I was trying to understand this...
http://www.php.net/manual/en/languag...s.external.php

I wonder what teh community has to say about this...

I need to get some vars something.php?var=blabla... I can get the
$var, but also $_request["var"].
What do you mean excactly?

Is $_GET["var"] NOT working for you?

And there is also the file_get_contents('php://input'), but then I
have to do some more.
No need to complicate things.
PHP will fill the superglobal $_GET just fine for you.
It will also fill $_POST if you receive a form send with Method="POST" (in
the HTML).

And don't use $_request because it doesn't exist, unless you created it in
your script.
Use $_REQUEST instead. :-)
But better: not use $_REQUEST at all, because using it only shows you don't
know where your input comes from (Cookie? Get? Post?). Just use the
superglobal you KNOW will contain the information.

Regards,
Erwin Moller
>
What do people have to say about this?

S
Feb 7 '07 #4

P: n/a
On Wed, 7 Feb 2007 11:24:23 +0200, "P Pulkkinen"
<pe*************************@POISTATAMA.elisanet.f iwrote:
>If you put register_globals = off, and use $_request, $_get, $_post and
$_cookie, you'll surely know where your variables come from.
Why is it dangerous to use globals, and not know where the data came
from?
Feb 7 '07 #5

P: n/a
Vincent Delporte wrote:
On Wed, 7 Feb 2007 11:24:23 +0200, "P Pulkkinen"
<pe*************************@POISTATAMA.elisanet.f iwrote:
>If you put register_globals = off, and use $_request, $_get, $_post and
$_cookie, you'll surely know where your variables come from.

Why is it dangerous to use globals, and not know where the data came
from?
Well, as a simple example, let's say you put a value in your $_SESSION like:

$_SESSION('admin') = 1;

This indicates the person has signed on and is authorized to access your
admin screens. Now what happens if I do:

http://www.example.com/admin?admin=1

With register_globals on, I could access your admin screens even though
I'm not signed on, because both could set the variable $admin to 1.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================
Feb 7 '07 #6

P: n/a
Rik
Jerry Stuckle <js*******@attglobal.netwrote:
Vincent Delporte wrote:
>On Wed, 7 Feb 2007 11:24:23 +0200, "P Pulkkinen"
<pe*************************@POISTATAMA.elisanet. fiwrote:
>>If you put register_globals = off, and use $_request, $_get, $_post
and $_cookie, you'll surely know where your variables come from.
Why is it dangerous to use globals, and not know where the data came
from?

Well, as a simple example, let's say you put a value in your $_SESSION
like:

$_SESSION('admin') = 1;

This indicates the person has signed on and is authorized to access your
admin screens. Now what happens if I do:

http://www.example.com/admin?admin=1

With register_globals on, I could access your admin screens even though
I'm not signed on, because both could set the variable $admin to 1.

Indeed, allthough this is offcourse bad coding. Every variable should be
initialised, and every $_SESSION / $_POST / $_GET / $_COOKIE should be
accessed like such. So, when coding correctly, having register_globals on
is not a problem. However, when making a tiny mistake or when relying in
register_globals, that's where it goes wrong. In short, unless you're
infallable having register_globals off is just better.
--
Rik Wasmus
Feb 7 '07 #7

P: n/a
Vincent Delporte wrote:
On Wed, 7 Feb 2007 11:24:23 +0200, "P Pulkkinen"
>If you put register_globals = off, and use $_request, $_get, $_post and
$_cookie, you'll surely know where your variables come from.

Why is it dangerous to use globals, and not know where the data came
from?
Suppose I have register globals turned ON, and I have a regular
old variable called "$bCreditCardApproved = FALSE;".

By putting "?bCreditCardApproved=TRUE" in the query string, I
might muck things up for your code logic.
Feb 7 '07 #8

P: n/a
Rik wrote:
Jerry Stuckle <js*******@attglobal.netwrote:
>Vincent Delporte wrote:
>>On Wed, 7 Feb 2007 11:24:23 +0200, "P Pulkkinen"
<pe*************************@POISTATAMA.elisanet .fiwrote:
If you put register_globals = off, and use $_request, $_get, $_post
and $_cookie, you'll surely know where your variables come from.
Why is it dangerous to use globals, and not know where the data came
from?

Well, as a simple example, let's say you put a value in your $_SESSION
like:

$_SESSION('admin') = 1;

This indicates the person has signed on and is authorized to access
your admin screens. Now what happens if I do:

http://www.example.com/admin?admin=1

With register_globals on, I could access your admin screens even
though I'm not signed on, because both could set the variable $admin
to 1.


Indeed, allthough this is offcourse bad coding. Every variable should be
initialised, and every $_SESSION / $_POST / $_GET / $_COOKIE should be
accessed like such. So, when coding correctly, having register_globals
on is not a problem. However, when making a tiny mistake or when relying
in register_globals, that's where it goes wrong. In short, unless you're
infallable having register_globals off is just better.
--Rik Wasmus
Hi, Rik,

I didn't say it was *good* coding. But he did ask what the potential
problem was. :-)

And I've seen similar code way too many times, especially on sites built
for earlier versions of PHP.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================
Feb 7 '07 #9

P: n/a
Rik
Jerry Stuckle <js*******@attglobal.netwrote:
> Indeed, allthough this is offcourse bad coding. Every variable should
be initialised, and every $_SESSION / $_POST / $_GET / $_COOKIE should
be accessed like such. So, when coding correctly, having
register_globals on is not a problem. However, when making a tiny
mistake or when relying in register_globals, that's where it goes
wrong. In short, unless you're infallable having register_globals off
is just better.

I didn't say it was *good* coding. But he did ask what the potential
problem was. :-)

And I've seen similar code way too many times, especially on sites built
for earlier versions of PHP.
I agree with you, it's just an illustration.
The programmer who thinks he's infallable should think again :P

--
Rik Wasmus
Feb 7 '07 #10

P: n/a
Thank yuo all for your input, it has been useful.

I will also now take a look at $_SESSION in stead of having a ?
sessionid=, which is visile to the user.

S

Feb 8 '07 #11

P: n/a

"Sonnich" <so************@elektrobit.comkirjoitti
viestissä:11**********************@s48g2000cws.goo glegroups.com...
Thank yuo all for your input, it has been useful.

I will also now take a look at $_SESSION in stead of having a ?
sessionid=, which is visile to the user.
Hello still!

I am "bothered" by the word "instead" here, so I want to make sure there's
not any misunderstanding:

- You use $_SESSION to read and write session variables.

- You might see ?sessionid=23423423 automatically appear in your urls,
because that's how your php might be configured to maintain
sessions(session.trans_id). Alternative to this is use of cookies:
session.use_cookies

So instead of thinking "instead", just separetely enjoy $_SESSION itself
and if you want at the same time start to worry thing #2, do it. But don't
make it "instead" but "in addition to this"..

:-)



Feb 8 '07 #12

This discussion thread is closed

Replies have been disabled for this discussion.