Page 1 of 1

php mysql register globals & variables

Posted: Thu Aug 27, 2009 4:22 pm
by benair
I've been hacking along for a number of years - self taught in PHP and admittedly my code is so-so.
My apps work fine and get the job done, but for one thing I have been working with register globals on and
now I need to bite the bullet and clean up my act. You can always find info on initializing variables etc.,
but the explanations are not always in depth or complete. so...

If I pass variables through a link and then use $_GET , is the following acceptable AND secure

Let's say I pass the following in a link: /file.php?state=FL
Then in file.php (PHP_SELF may be another story but still interested in the differences there)

Example 1-----------

Code: Select all

<?php

$state = $GET['state'];

$state_PC_name = array("FL"=>"Florida", "GA"=>"Georgia", "CA"=>"California");

$state_proper = $state_PC_name[$state];

echo $state_proper;


?>
[/code ]

I'm sure I could've eliminated a step there by calling the array state_proper but intentionally wanted to have some variations, 
but is that basically what I need to do in general to run with register_globals off?


Also when using any/all variables that are part of a query string

Example 2 ------------

[code=php ]
<?php

// query FL records
$state = mysql_real_escape_string($_GET['state']);

$sql = "select * from states WHERE state = '$state' ";
$result = mysql_query($sql, $connection) 

// does anything need to be done prior to setting them in the

while ($row = mysql_fetch_array($result)) 

	{
          $ID = $row['ID'];
          $Name = $row[''];
        }

?>
[/code ]


I also came across a usage of ('" . $variable . "') somewhere in a query/insert string and can't find out more about why that is being used that way as opposed to just $variable ?


any comments on this are appreciated also if there are similar examples that point out WHAT NOT TO do in those examples, that's great too.
thanks!

Re: php mysql register globals & variables

Posted: Thu Aug 27, 2009 5:26 pm
by jackpf
Well...you seem to be getting the hang of it.

Although I do have a few suggestions.

First of all, you might want to check if the variables exist before using them.

For example:

Code: Select all

$var = $_GET['var']; //if "var" is not in the query string, you will get an "undefined index" error...
 
//the "proper" way (or at least, the way I do it...)
$var = (isset($_GET['var'])) ? $_GET['var'] : NULL;
For your example, you could extend that to simplify it, like so:

Code: Select all

$state = (isset($_GET['FL']) && in_array($_GET['FL'], array('array', 'of', 'acceptable', 'states'))) ? $_GET['FL'] : 'default_state';

Re: php mysql register globals & variables

Posted: Thu Aug 27, 2009 6:07 pm
by benair
Interesting, I clearly understand your first example and as for the second one I'll need to step through a little to get a clearer understanding. I may follow this up after I can run through that and break it down. I like what I see there it's just not what I'm used to using...
? $_GET['FL'] : 'default_state';

Also, apparently I'm not displaying my sample code tags properly in my post.

Thanks Very Much for the prompt reply and assistance!

Re: php mysql register globals & variables

Posted: Thu Aug 27, 2009 6:10 pm
by jackpf
Yeah, that's called the "ternary operator".

And yeah...you put spaces.