Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Query Strings in PHP 1

Status
Not open for further replies.
symbiotic

symbiotic

Technical User
Jan 17, 2003
28
0
0
GB
Hi,
I'm trying to figure out what the accepted way of using Query Strings is in PHP. Consider this example:


<?php
//code in somepage.php
echo $var1;
echo &var2;
?>

Now, this code will not work if register_globals is Off, as is reccomended. So, is there a secure way to use query strings, or should they be avoided altogether, in favor of session variables?
 
Sort by date Sort by votes
$_GET[&quot;var1&quot;];
$_GET[&quot;var2&quot;];

there's also a command to convert all the key=>value pairs to variables, but I find that leads to precarious code.

as from an earlier thread by sleipnir...

echo &quot;<pre>&quot;;
print_r($_GET);
echo &quot;</pre>&quot;;

to get a list of your key value pairs in any file... at will replace _GET with _POST to switch types of forms.

-Rob
 
Upvote 0 Downvote
There's nothing wrong with using GET-method inputs. Just keep register_globals set to &quot;off&quot; and access them (as in your example) as $_GET['var1'] and $_GET['var2'].

The security hole with register_globals is that it can interfere with your code. Suppose that you have a variable in your code named $var1, to which you concatenate data in a loop without explicitly initializing it to &quot;&quot;. Also suppose that the script is not expecting any input whatsoever.

Now suppose I access your script, instead of as but rather as I can poison the values of your variables if register_globals is set to &quot;on&quot;. Your code is expecting the value of $var1 to be initially equal to &quot;&quot;, as PHP does by default -- so you didn't explicitly set it to &quot;&quot; when you first instantiated it. But because of my action, at the beginning of the script run it's set to &quot;foo&quot;. Your code, none the wiser, runs into a while loop concatenating data to that variable, then stores the value in a database. Now I can poison the data in your database. Image the fun time you'll have trying to debug your code, especially when it's a data-driven error that you can't duplicate without a web server log analysis.

However, if register_globals is set to &quot;off&quot;. $var1 in your code and $_GET['var1'] from input are kept completely separate.

Honestly, the chances of it's being used against you are probably pretty remote. But keeping register_globals set to off and using the superglobal arrays can also make your code more readable and can simplify your code. Want the best answers? Ask the best questions: TANSTAAFL!
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

SashaBuilder3
  • Locked
  • Question
import CSV file into MySql table in PhpMyAdmin
Replies
0
Views
120
SashaBuilder3
SashaBuilder3
PeDa
  • Locked
  • Question
Unwanted spaces in php HTML mail 1
Replies
4
Views
109
PeDa
PeDa
Mandy_crw
  • Locked
  • Question
How to send sms in PHP using usb gsm modem?
Replies
1
Views
121
vishvajit
vishvajit
lflynnlrf
  • Locked
  • Question
wordpress/ shortcode/ PHP duplicating code
Replies
1
Views
67
spamjim
spamjim
EdLentz
  • Locked
  • Question
Partial link in email
Replies
1
Views
63
spamjim
spamjim

Part and Inventory Search

Sponsor

Back
Top