homepage Welcome to WebmasterWorld Guest from 23.22.179.210
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / Code, Content, and Presentation / Databases
Forum Library, Charter, Moderators: physics

Databases Forum

    
$ GET variables
jo3y




msg:4240146
 4:44 pm on Dec 8, 2010 (gmt 0)

Ok, I have been coding for a while mainly in PHP and SQL, but something is confusing ...

I am passing 3 variables via form=get, and action=search.php.

Well, I accidentally left out my variable assignments:

$search=$_GET["search"];
$fordom=$_GET["fordom"];
$category=$_GET["category"];

And continued with my query within the search.php. It all still worked. I double checked the file on the server, I searched my document for any $_GET terms and they are not there, so now I am confused.

Is this possible or is it likely that I am missing something?

 

Frank_Rizzo




msg:4240307
 9:05 pm on Dec 8, 2010 (gmt 0)

Sounds like you have register globals on in php. This would convert all gets to the corresponding var name.

It's a big security risk. You should turn register globals off and code the vars from $_GET.

Note that it is also unwise to directly use data from $_GET without sanitising it. The following would be more secure:


$search='';
$fordom='abc'; // default fordom or blank
$category='xyz'; // default category or blank

if(isset($_GET['search'])) $search = substr(filter_var($_GET['search'], FILTER_SANITIZE_STRING), 0, 25);
if(isset($_GET['fordom'])) $fordom = substr(filter_var($_GET['fordom'], FILTER_SANITIZE_STRING), 0, 5);
if(isset($_GET['category'])) $category = substr(filter_var($_GET['category'], FILTER_SANITIZE_STRING), 0, 5);

This will limit the size of data which can be entered and sanitize the string to prevent some exploits.

[php.net...]

rocknbil




msg:4240620
 5:39 pm on Dec 9, 2010 (gmt 0)

A caveat, FILTER_SANITIZE_STRING is only available for version 5+ and after 4.2.0 [php.net] register_globals default setting is off. But even if you have an old version of PHP, important to cleanse that input.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / Databases
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved