Like I said, I'm lazy too. I guess the security risks are down to giving any
user the chance to set any variable on your page to whatever they feel like
at the beginning of the script - by simply playing with the URL. An extreme
example of what could go wrong is something like:
if ($foo == $bar) {
$cmd = "/a/script/to/run";
}
// some code
if ($cmd) {
exec($cmd);
}
You think you're ok - if you haven't set $cmd, it doesn't run. But then some
donkey goes sets cmd=[something malicious] in the URL and you're in trouble.
'Course, there should be much more sanity checking before ever calling exec,
but that's the idea.
Using $_POST, $_GET and $_REQUEST is more portable, and you can get at them
from inside classes and functions too. What you do in the privacy of your
server is your own business, but I'd recommend them if you're going to be
sharing your code.
Matt
> -----Original Message-----
> From: Carl Caamano [mailto:[EMAIL PROTECTED]]
> Sent: 23 September 2002 16:08
> To: [EMAIL PROTECTED]
> Subject: Re: [PHP-WIN] GET / POST
>
>
> Thanks for the tip. I can get to my php.ini, but i was just
> wondering what
> the "correct" way to code. I'm not sure what the security
> risks are, but I'm
> going to check them out shortly at PHP.net. As for me, there is none,
> because I am on an isolated (i.e. not public) network
> I'm not sure if using $message instead of $_POST['message']
> is lazy, but it
> sure is a hell lot easier to type! Its more like what I am
> used to such as
> in Perl or perhaps C. I've used those briefly, so don't
> quote me on that.
> Java is my main programming background.
>
> "Matt Kynaston" <[EMAIL PROTECTED]> wrote in message
> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > Yeah, lots of lazy coders out there (me included :). You
> can try something
> > like this at the top of your script to mimic
> register_globals if you don't
> > have access to your php.ini - keep in mind security risks:
> >
> > if (!ini_get('register_globals')) {
> > // mimic GPCS order
> > if ($_GET) extract($_GET);
> > if ($_POST) extract($_POST);
> > }
> >
> > This doesn't 'register' cookie or session vars.
> >
> > Matt
> >
> > > -----Original Message-----
> > > From: Carl Caamano [mailto:[EMAIL PROTECTED]]
> > > Sent: 23 September 2002 15:07
> > > To: [EMAIL PROTECTED]
> > > Subject: Re: [PHP-WIN] GET / POST
> > >
> > >
> > > I am also a newbie to PHP. I have been writing and copying
> > > code from the
> > > web. It seems to me without having the register_global set
> > > to on, 99% of
> > > the code out there is useless. I have been using the POST
> > > method for my
> > > form method. I've tried modifiy code from the web to
> work without the
> > > register_global being set. I get parse errors saying
> something like
> > > T_VARIBLE ',' or ';' expected most the time.
> > >
> > > For example how would you change this line?
> > >
> > > if ( $sender_email and $message)
> > >
> > > or i was thinking maybe you have to "import" your varibles at
> > > the beginning
> > > of the script by having a bunch of lines simular to this:
> > > $message = $_POST['message']
> > > (being that the varible in the HTML page is called message, a
> > > text box in
> > > this case)
> > >
> > > TIA
> > >
> > > "Rich Gray" <[EMAIL PROTECTED]> wrote in message
> > > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > > > Comments below...
> > > >
> > > > -----Original Message-----
> > > > From: XXXPixie [mailto:[EMAIL PROTECTED]]
> > > > Sent: 08 September 2002 09:52
> > > > To: [EMAIL PROTECTED]
> > > > Subject: [PHP-WIN] GET / POST
> > > >
> > > >
> > > > hi! I'm a total newbie to php4 or web design and i (of
> > > course) have a
> > > > problem:
> > > > i'm using apache 2.x and php4 as a module.
> > > > so, when i use the GET method to pass data to my php script:
> > > >
> > > > script.php?x=5
> > > >
> > > >
> > > > i can't access it as a normal global variable:
> > > >
> > > > <?php
> > > > print $x;
> > > > ?>
> > > >
> > > > the only way i can get to it is:
> > > >
> > > > <?php
> > > > print _GET['x']
> > > > ?>
> > > >
> > > > what's wrong?
> > > >
> > > > RG> PHP v4.2.x has register_globals set to Off by default
> > > which is why you
> > > > have to access the _GET superglobal array - if security is
> > > not an issue
> > > then
> > > > either switch on register_globals again or do something like
> > > extract($_GET)
> > > > or extract($_REQUEST) at the top of your script...
> > > >
> > > >
> > > > by the way, what's the difference between GET and POST
> > > methods anyway?
> > > >
> > > > RG> Very briefly .... http get method passes data via the query
> > > string/url,
> > > > http post method data is sent via the http headers - post
> > > method is more
> > > > secure (can't be tampered with easily) and can handle large data
> > > > transmissions with binary data, get is bookmarkable but is
> > > limited in size
> > > > and can be easily modified by a user...
> > > >
> > > > HTH
> > > > RIch
> > > >
> > > >
> > > > --
> > > > PHP Windows Mailing List (http://www.php.net/)
> > > > To unsubscribe, visit: http://www.php.net/unsub.php
> > > >
> > >
> > >
> > >
> > > --
> > > PHP Windows Mailing List (http://www.php.net/)
> > > To unsubscribe, visit: http://www.php.net/unsub.php
> > >
> > >
> >
>
>
>
> --
> PHP Windows Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
