My apps work fine and get the job done, but for one thing I have been working with register globals on and
now I need to bite the bullet and clean up my act. You can always find info on initializing variables etc.,
but the explanations are not always in depth or complete. so...
If I pass variables through a link and then use $_GET , is the following acceptable AND secure
Let's say I pass the following in a link: /file.php?state=FL
Then in file.php (PHP_SELF may be another story but still interested in the differences there)
Example 1-----------
Code: Select all
<?php
$state = $GET['state'];
$state_PC_name = array("FL"=>"Florida", "GA"=>"Georgia", "CA"=>"California");
$state_proper = $state_PC_name[$state];
echo $state_proper;
?>
[/code ]
I'm sure I could've eliminated a step there by calling the array state_proper but intentionally wanted to have some variations,
but is that basically what I need to do in general to run with register_globals off?
Also when using any/all variables that are part of a query string
Example 2 ------------
[code=php ]
<?php
// query FL records
$state = mysql_real_escape_string($_GET['state']);
$sql = "select * from states WHERE state = '$state' ";
$result = mysql_query($sql, $connection)
// does anything need to be done prior to setting them in the
while ($row = mysql_fetch_array($result))
{
$ID = $row['ID'];
$Name = $row[''];
}
?>
[/code ]
I also came across a usage of ('" . $variable . "') somewhere in a query/insert string and can't find out more about why that is being used that way as opposed to just $variable ?
any comments on this are appreciated also if there are similar examples that point out WHAT NOT TO do in those examples, that's great too.
thanks!