checking for cookies

Forum Moderators: coopster

Message Too Old, No Replies

checking for cookies

is there more than one way in php?

HelenDev

10:09 am on Jun 16, 2004 (gmt 0)

I know that to check for cookies in php goes something like this...


if (!isset($_COOKIE[name])) {
setcookie("name", $stuff, time()+36000);
}

However I have some pages on my site where it does it like this, like checking if variable is set...


if (!isset($name)) {
setcookie("name", $stuff, time()+36000);
}

Is this a valid way to do it too? Both appear to work fine.

dcrombie

10:22 am on Jun 16, 2004 (gmt 0)

The first option will always work. The second requires "REGISTER_GLOBALS" to be turned on. You should only have that option turned on if you're confident you know what you're doing security-wise.

HelenDev

10:30 am on Jun 16, 2004 (gmt 0)

I host with an outside company and their documentation says, "Our servers are set up with Register Globals turned on". I guess they know what they're doing!

I'm assuming the former is the best way then. Do you think I should change those other pages or is it OK to leave?

dcrombie

10:56 am on Jun 16, 2004 (gmt 0)

It's not about whether they know what they're doing - probably not given that statement - but whether you do.

With REGISTER_GLOBALS turned on, the $name variable could come from $_GET, $_POST, $_SERVER or $_COOKIE. In some cases that can have serious security implications if you don't check all your input variables.

eg. Someone can add "?name=newname" and that value will show up as $name (but not as $_COOKIE["name"]).

Clear as mud?

vincevincevince

10:58 am on Jun 16, 2004 (gmt 0)

If you ever intend to change webhosts, it would be good to fix them now.

Secondly it is a big security risk.

i.e.

if i call your page as:
http:// yourdomain/yourpage.php?name=Vincent

then
$_COOKIE[name]=""
BUT
$name="Vincent"

i.e. cookie values can be overridden by putting variables in the URL path - just imagine if someone were to call your page as /yourpage.php?admin=Yes ... it would take only guessing the right variable name!

HelenDev

11:14 am on Jun 16, 2004 (gmt 0)

Ah. I see.

Cheers for the advice :)

I'll fix the pages.

HelenDev

2:05 pm on Jun 16, 2004 (gmt 0)

I may be barking totally up the wrong tree, but does this kind of thing also mean that I should also be using


if($_POST['searchtext']==''){
//do stuff
}

rather than


if($searchtext ==''){
//do stuff
}

Netizen

4:04 pm on Jun 16, 2004 (gmt 0)

Indeed it does - anything thats from the filled in form needs to be extracted from $_POST, anything in the query string (e.g. script.php?id=4, the id bit) needs to be extracted from $_GET.

Hope that help.s

HelenDev

8:56 am on Jun 18, 2004 (gmt 0)

Cheers Netizen.

Is there a bit of code I could chuck into my existing forms which would automatically get all the values submitted in $_POST and name them with their variable name, as it were?

For example, if I had the values


$_POST['username']
$_POST['usertel']
$_POST['useremail']

it would generate


$username
$usertel
$useremail

dcrombie

9:49 am on Jun 18, 2004 (gmt 0)

extract [php.net]

;)

HelenDev

10:11 am on Jun 18, 2004 (gmt 0)

Cheers dcrombie, that looks like just the kind of thing I need. So I guess I just do it like this


extract($_POST, EXTR_SKIP);

I don't imagine there would be any variable clashes so I think I should choose EXTR_SKIP. From a security view I assume I only need worry when using GET?