Welcome to WebmasterWorld Guest from 184.108.40.206
I see links like this all the time and I know that information is being sent to the page example.php which then builds the page dynamically according to the parameters 'id' and 'myname'. How do I do this using PHP? I think it has something to do with the explode() function.
All I'm coming up with in Google is how dynamic URLs are bad and how to convert them into search-engine friendly URLs. I already understand all this. I need something that goes back one step and just teaches me the basics.
Any comment would be appreciated or just a link to a good tutorial. Much thanks.
A) Select * FROM table WHERE field='".$_POST['querystring']."'
$myvar = $_POST['querystring']; and thus
Select * FROM table WHERE field='$myvar'
Notice the difference in (') and ('") in the two examples
Predefined variables [php.net]
let's use your example
you could access the value of the variable id in the $_GET array like so
this would output "myname". It is common to pull these into a local variable such as
$myid = $_GET['id'];
this would be the some syntax for any var in your url, take this example
$myid = $_GET['id'];
$start = $_GET['start'];
$section = $_GET['section'];
these vars could then be used to do whatever you need
1. for security purposes, check all variables when they come in, any user can change the GET string and give out of range or erroneous data
2. Read through using register_globals [php.net]
3. as you mentioned, GET strings, especially with params called id or PHPSESSID are no good for SEO
4. don't pass too much data in your GET string, there are limits, they are fairly large but try to keep it short and sweet
does that help a bit?
initializing means you set them to a default value of the proper type before you use them, not specifically for security but it definitely helps with it
$myvar = '';
$myvar = 0;
$myvar = array();
$myvar = false;
or what have you, from a security standpoint this stops variables from having unknown values or allowing input to change their starting value/state.
If I have register_globals on and someone types in
that will set/reset $my_var to 3. Initializing variables doesn't change that one way or the other (that's why having register_globals on is such a major pain).
On the other hand, if register globals is off, nobody will be able to use a URL to reset a variable outside the superglobal arrays, whether initialized or not.
I think initializing variables is good practice and contributes to stability and avoids unexpected results, which contribute indirectly to security, but with respect to injecting values into the script I don't see a security advantage.
From a security and stability point of view I think the key thing is making sure that the values sent are of the type and in the range of what you expect. Testing for a two-digit integer is a fairly strict test, so that seems pretty good.
would mean at script start $my_var would have a value of 3
if you set
$my_var = 0;
at the top of your script it isn't going to be set again to 3 it will be 0
that was my understanding, that vars are imported into the local variable table at start of execution, if you reset them then they would be whatever you wanted.
though I haven't used anything with register_globals on in a long long time.
if you look at Example 29-1 this line comes below the code
in our example above we might have first done $authorized = false. Doing this first means our above code would work with register_globals on or off as users by default would be unauthorized.
so yes, proper initializattion of all internal vars will stop variable poisoning due to register_globals being on
and later on
Of course, simply turning off register_globals does not mean your code is secure. For every piece of data that is submitted, it should also be checked in other ways. Always validate your user data and initialize your variables! To check for uninitialized variables you may turn up error_reporting() to show E_NOTICE level errors.
man, I have had to deal with that too many times
>> upon reflection
hehe, I had to go back and read it all to be sure, it would be far from the first time I was wrong and you were right ;)
I'm glad that by the time I discovered PHP, I had a couple of advantages in that
- the PHP community had mostly progressed to turning register_globals off as a matter of standard and habit.
- I had a limited but sufficent background in C++ and Pascal to give me a negative attitude toward globals and uninitialized variables
That meant that I just haven't had to deal with the variable overwriting and other headaches that much.