Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Query Strings in PHP 1

Status
Not open for further replies.
symbiotic

symbiotic

Technical User
Joined
Jan 17, 2003
Messages
28
Location
GB
Hi,
I'm trying to figure out what the accepted way of using Query Strings is in PHP. Consider this example:


<?php
//code in somepage.php
echo $var1;
echo &var2;
?>

Now, this code will not work if register_globals is Off, as is reccomended. So, is there a secure way to use query strings, or should they be avoided altogether, in favor of session variables?
 
Sort by date Sort by votes
$_GET[&quot;var1&quot;];
$_GET[&quot;var2&quot;];

there's also a command to convert all the key=>value pairs to variables, but I find that leads to precarious code.

as from an earlier thread by sleipnir...

echo &quot;<pre>&quot;;
print_r($_GET);
echo &quot;</pre>&quot;;

to get a list of your key value pairs in any file... at will replace _GET with _POST to switch types of forms.

-Rob
 
Upvote 0 Downvote
There's nothing wrong with using GET-method inputs. Just keep register_globals set to &quot;off&quot; and access them (as in your example) as $_GET['var1'] and $_GET['var2'].

The security hole with register_globals is that it can interfere with your code. Suppose that you have a variable in your code named $var1, to which you concatenate data in a loop without explicitly initializing it to &quot;&quot;. Also suppose that the script is not expecting any input whatsoever.

Now suppose I access your script, instead of as but rather as I can poison the values of your variables if register_globals is set to &quot;on&quot;. Your code is expecting the value of $var1 to be initially equal to &quot;&quot;, as PHP does by default -- so you didn't explicitly set it to &quot;&quot; when you first instantiated it. But because of my action, at the beginning of the script run it's set to &quot;foo&quot;. Your code, none the wiser, runs into a while loop concatenating data to that variable, then stores the value in a database. Now I can poison the data in your database. Image the fun time you'll have trying to debug your code, especially when it's a data-driven error that you can't duplicate without a web server log analysis.

However, if register_globals is set to &quot;off&quot;. $var1 in your code and $_GET['var1'] from input are kept completely separate.

Honestly, the chances of it's being used against you are probably pretty remote. But keeping register_globals set to off and using the superglobal arrays can also make your code more readable and can simplify your code. Want the best answers? Ask the best questions: TANSTAAFL!
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

cdlvj
  • Locked
  • Question Question
PHP Debugging
Replies
1
Views
746
cdlvj
cdlvj
W
  • Locked
  • Question Question
how to send checked row data in php
Replies
0
Views
615
wiltang2004
W
SashaBuilder3
  • Locked
  • Question Question
import CSV file into MySql table in PhpMyAdmin
Replies
0
Views
1K
SashaBuilder3
SashaBuilder3
PeDa
  • Locked
  • Question Question
Unwanted spaces in php HTML mail
Replies
4
Views
703
PeDa
PeDa
Mandy_crw
  • Locked
  • Question Question
How to send sms in PHP using usb gsm modem?
Replies
1
Views
863
vishvajit
vishvajit

Part and Inventory Search

Sponsor

Back
Top