Page not reading variables in URL

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

qads
DevNet Resident
Posts: 1199
Joined: Tue Apr 23, 2002 10:02 am
Location: Brisbane

Post by qads »

yes and no, yes cos its working NO cos its not safe...use my example above ^^^
tsg
Forum Contributor
Posts: 142
Joined: Sun Jan 12, 2003 9:22 pm
Location: SE, Alabama
Contact:

Post by tsg »

Oh, and one more thing (after you answer my question of course) ... Check out Grown up Britney ... WOOWWWEEEEEE

http://www.esquire.com/women/gallery/03 ... frame.html
Cruzado_Mainfrm
Forum Contributor
Posts: 346
Joined: Sun Jun 15, 2003 11:22 pm
Location: Miami, FL

Post by Cruzado_Mainfrm »

when u use superglobals(aka $_SERVER, $_GET, $_POST, $_COOKIE, ETC) you must append { and } outside the variable, example:

echo "{$_SERVER['PHP_SELF']}";

a side note, i dunno if it's obligatory to use single quotes when working with arrays, but i think that's the best way to do it, as a nice and clean manner
tsg
Forum Contributor
Posts: 142
Joined: Sun Jan 12, 2003 9:22 pm
Location: SE, Alabama
Contact:

Post by tsg »

You guys are killing me here ...

So, is this correct and SAFE:
1) $_GET[] ONLY for variables coming from the URL? (with the exception of a get form, which I don't usually do).

2) Before using the $_GET[] valriable in a database query, change it (in a since) to:

thing = $_GET['thing'];

or a number
thing = (int)$_GET['thing'];

3) To print a $_GET[] variable, I would:
echo "{$_GET['thing']}";

How is that??
Cruzado_Mainfrm
Forum Contributor
Posts: 346
Joined: Sun Jun 15, 2003 11:22 pm
Location: Miami, FL

Post by Cruzado_Mainfrm »

if you include arrays in string u have to add braces only
Paddy
Forum Contributor
Posts: 244
Joined: Wed Jun 11, 2003 8:16 pm
Location: Hobart, Tas, Aussie
Contact:

Post by Paddy »

if you have done

$thing = $_GET['thing'];

then to echo

echo $thing;
Cruzado_Mainfrm
Forum Contributor
Posts: 346
Joined: Sun Jun 15, 2003 11:22 pm
Location: Miami, FL

Post by Cruzado_Mainfrm »

yep, that's better
McGruff
DevNet Master
Posts: 2893
Joined: Thu Jan 30, 2003 8:26 pm
Location: Glasgow, Scotland

Post by McGruff »

Check out the php manual: "Predefined Variables" for more about GET, POST etc.

You don't need to:

echo "{$_SERVER['PHP_SELF']}";

instead:

echo $_SERVER['PHP_SELF'];

To avoid ambiguities with current or future constants, single quotes should always be used when referring to an array key:

$_GET['var']

I'd recommend that you always dot concatenate strings & vars. It avoids niggling problems and makes the code clearer, eg:

"SELECT col FROM table WHERE col='" . $_GET['var'] . "'";

But never put unprocessed user input into a query! You must either:
(a) escape strings (mysql_escape_string or addslashes) or
(b) force numeric type (intval) on numbers.
(c) Also, always single-quote $vars used to set col values.

http://www.securereality.com.au/studyinscarlet.txt
http://www.sklar.com/page/article/owasp-top-ten
Post Reply