Welcome to WebmasterWorld Guest from 184.108.40.206 , register , free tools , login , search , subscribe , help , library , announcements , recent posts , open posts Pubcon Platinum Sponsor
$ GET variables jo3y msg:4240146 4:44 pm on Dec 8, 2010 (gmt 0) Ok, I have been coding for a while mainly in PHP and SQL, but something is confusing ... I am passing 3 variables via form=get, and action=search.php. Well, I accidentally left out my variable assignments: $search=$_GET["search"]; $fordom=$_GET["fordom"]; $category=$_GET["category"]; And continued with my query within the search.php. It all still worked. I double checked the file on the server, I searched my document for any $_GET terms and they are not there, so now I am confused. Is this possible or is it likely that I am missing something?
Frank_Rizzo msg:4240307 9:05 pm on Dec 8, 2010 (gmt 0)
Sounds like you have register globals on in php. This would convert all gets to the corresponding var name. It's a big security risk. You should turn register globals off and code the vars from $_GET. Note that it is also unwise to directly use data from $_GET without sanitising it. The following would be more secure: $search=''; $fordom='abc'; // default fordom or blank $category='xyz'; // default category or blank if(isset($_GET['search'])) $search = substr(filter_var($_GET['search'], FILTER_SANITIZE_STRING), 0, 25); if(isset($_GET['fordom'])) $fordom = substr(filter_var($_GET['fordom'], FILTER_SANITIZE_STRING), 0, 5); if(isset($_GET['category'])) $category = substr(filter_var($_GET['category'], FILTER_SANITIZE_STRING), 0, 5); This will limit the size of data which can be entered and sanitize the string to prevent some exploits. [ ...]
php.net rocknbil msg:4240620 5:39 pm on Dec 9, 2010 (gmt 0)
A caveat, FILTER_SANITIZE_STRING is only available for version 5+ and after register_globals default setting is off. But even if you have an old version of PHP, important to cleanse that input. 4.2.0 [ php.net]