Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
how to loop through post vars ??
- Thread starter hos2
- Start date
You just loop through it like any array:
By using the double $ sign you create a variable by the name of the content of $key.
However, I see no distinct advantage to this in comparison to register_globals ON.
IMO the idea of having it OFF is that you use the superglobal arrays $_POST etc. and refer to the variables like that in the code. You will not have any uninitialized vars that way. If you just translate all $_POST array members you have no advantage of having register_globals off.
Code:
foreach($_POST as $key=>#value){
# use the key as variable name
$$key = $val;
}By using the double $ sign you create a variable by the name of the content of $key.
However, I see no distinct advantage to this in comparison to register_globals ON.
IMO the idea of having it OFF is that you use the superglobal arrays $_POST etc. and refer to the variables like that in the code. You will not have any uninitialized vars that way. If you just translate all $_POST array members you have no advantage of having register_globals off.
- Thread starter
- #3
here is an explanation why I want to turn it of
and also someone is hacking my forum through this way I think
and also someone is hacking my forum through this way I think
I understand what you are saying but you might have misunderstood what I tried to convey:
When you translate the POST vars in the described manner there is virtually no difference between that and having register_globals ON. It will not stop the person hacking your site.
From the thread you refered to:
Once you have turned off Register Globals, you will need to code using specific scope arrays, such as GET, POST, etc. Instead of using $var for data passed through the query string, use $_GET['var']. (No serious programmer codes for Register Globals 'on', because of this security risk)
When you translate the POST vars in the described manner there is virtually no difference between that and having register_globals ON. It will not stop the person hacking your site.
From the thread you refered to:
Once you have turned off Register Globals, you will need to code using specific scope arrays, such as GET, POST, etc. Instead of using $var for data passed through the query string, use $_GET['var']. (No serious programmer codes for Register Globals 'on', because of this security risk)
- Thread starter
- #5
yep but then there are also get variables which can be added to the url. if I explicitly define for each page then it should be impossible to override the posted vars or other vars ????
I have to loop through 20 post vars and perhaps only one or 2 get vars
or will that not be enough ?
and perhaps I can't stop him trying to hack my site but I can close some likely possibilites for him (or her)
I have to loop through 20 post vars and perhaps only one or 2 get vars
or will that not be enough ?
and perhaps I can't stop him trying to hack my site but I can close some likely possibilites for him (or her)
sleipnir214
Programmer
Variables posted to the URL show up in $_GET, not $_POST.
Want the best answers? Ask the best questions: TANSTAAFL!!
Want the best answers? Ask the best questions: TANSTAAFL!!
Let's identify the advantages and limits of register globals off:
1. $_POST['myVar'] is taken from the posted variables. Whenever I refer to it in the code then I know where it came from.
2. It is not possible that an outside person can set an uninitialized variable to an arbitrary setting.
Let's assume for arguments sake that $authenticated was not initialized by a stupid logical mistake I made. If register globals is on anyone can append and initialize the variable. This is not an issue when register globals is off. However, if you manually convert let's say the GET parameters into vars it is possible again.
This is the main issue about register globals.
3. Turning register globals off will not make the content of POST variables or GET variables any more trustworthy. It just limits the avenues into your code and the internally used variables.
It would take me less than a minute the make a form that posts to any given script and passes arbitrary values.
1. $_POST['myVar'] is taken from the posted variables. Whenever I refer to it in the code then I know where it came from.
2. It is not possible that an outside person can set an uninitialized variable to an arbitrary setting.
Let's assume for arguments sake that $authenticated was not initialized by a stupid logical mistake I made. If register globals is on anyone can append and initialize the variable. This is not an issue when register globals is off. However, if you manually convert let's say the GET parameters into vars it is possible again.
This is the main issue about register globals.
3. Turning register globals off will not make the content of POST variables or GET variables any more trustworthy. It just limits the avenues into your code and the internally used variables.
It would take me less than a minute the make a form that posts to any given script and passes arbitrary values.
- Thread starter
- #8
I think you are trying to salvage code that was written assuming register globals is on. Right?
But here to your question:
If register globals is OFF and you initialize local variables from explicit statement like
then you prevent the infusion of an arbitrary variable into a local variable. If someone tries to send a GET variable 'badVar' in the URL and you don't translate it you are safe.
However, as advice for the future, write code that is based on the assumption that register globals is off. And don't ever forget: do not trust user input.
But here to your question:
If register globals is OFF and you initialize local variables from explicit statement like
Code:
$myLocalVar = $_GET['myLocalVar'];then you prevent the infusion of an arbitrary variable into a local variable. If someone tries to send a GET variable 'badVar' in the URL and you don't translate it you are safe.
However, as advice for the future, write code that is based on the assumption that register globals is off. And don't ever forget: do not trust user input.
- Thread starter
- #10
yep I will start to rewrite my code and then see if I can put globals to off.
and I also check user input but I will look at it again for the not so common fields
ps is it also easy to check for the refferer since I noticed that one of the common practies is to save a form local and then change the hidden fields to you're liking and submit it again. I found it strange that there is no serverside validation if the script is running from the server ???
or is this a variable ??
and I also check user input but I will look at it again for the not so common fields
ps is it also easy to check for the refferer since I noticed that one of the common practies is to save a form local and then change the hidden fields to you're liking and submit it again. I found it strange that there is no serverside validation if the script is running from the server ???
or is this a variable ??
If someone is good at spoofing headers they can pretend to be any referrer they want. It is an additional check: look at $_SERVER['HTTP_REFERER'].
The script is always running on the server. The origin of the sent values is a different question.
The script is always running on the server. The origin of the sent values is a different question.
Robert1000
Programmer
Two questions:
1) Is there a way to get the name of the form field when looping via foreach through the $_POST/$_REQUEST arrays?
something like:
foreach($_REQUEST as $blah)
{
print $blah->Name;
}
2) Also, why cant i use $_REQUEST[0], $_REQUEST[2] etc. If its a standard array this should work right? all that seems to work is something like
foreach($_REQUEST as $blah)
{
print $blah;
}
id have thought this would work
for ($i=0;$i<count($_REQUEST);$i++)
{
print $_REQUEST[$i];
}
of course it doesn't which is really strange. as count($_REQUEST) works fine
Cheers for any help
Rob
1) Is there a way to get the name of the form field when looping via foreach through the $_POST/$_REQUEST arrays?
something like:
foreach($_REQUEST as $blah)
{
print $blah->Name;
}
2) Also, why cant i use $_REQUEST[0], $_REQUEST[2] etc. If its a standard array this should work right? all that seems to work is something like
foreach($_REQUEST as $blah)
{
print $blah;
}
id have thought this would work
for ($i=0;$i<count($_REQUEST);$i++)
{
print $_REQUEST[$i];
}
of course it doesn't which is really strange. as count($_REQUEST) works fine
Cheers for any help
Rob
1. Yes.
2. $_REQUEST is an associative array keyed by fieldname. I believe there is no numerical index.
The answer to question 1 provides you with all that you need to successfullt access the vars in the array.
BTW, this post should have been a new thread.
Code:
foreach($_POST as $key->$val){
# $key has the fieldname
# $val the vlaue
}2. $_REQUEST is an associative array keyed by fieldname. I believe there is no numerical index.
The answer to question 1 provides you with all that you need to successfullt access the vars in the array.
BTW, this post should have been a new thread.
- Status
Similar threads
- Locked
- Question