Page not reading variables in URL
Moderator: General Moderators
Oh, and one more thing (after you answer my question of course) ... Check out Grown up Britney ... WOOWWWEEEEEE
http://www.esquire.com/women/gallery/03 ... frame.html
http://www.esquire.com/women/gallery/03 ... frame.html
-
Cruzado_Mainfrm
- Forum Contributor
- Posts: 346
- Joined: Sun Jun 15, 2003 11:22 pm
- Location: Miami, FL
when u use superglobals(aka $_SERVER, $_GET, $_POST, $_COOKIE, ETC) you must append { and } outside the variable, example:
echo "{$_SERVER['PHP_SELF']}";
a side note, i dunno if it's obligatory to use single quotes when working with arrays, but i think that's the best way to do it, as a nice and clean manner
echo "{$_SERVER['PHP_SELF']}";
a side note, i dunno if it's obligatory to use single quotes when working with arrays, but i think that's the best way to do it, as a nice and clean manner
You guys are killing me here ...
So, is this correct and SAFE:
1) $_GET[] ONLY for variables coming from the URL? (with the exception of a get form, which I don't usually do).
2) Before using the $_GET[] valriable in a database query, change it (in a since) to:
thing = $_GET['thing'];
or a number
thing = (int)$_GET['thing'];
3) To print a $_GET[] variable, I would:
echo "{$_GET['thing']}";
How is that??
So, is this correct and SAFE:
1) $_GET[] ONLY for variables coming from the URL? (with the exception of a get form, which I don't usually do).
2) Before using the $_GET[] valriable in a database query, change it (in a since) to:
thing = $_GET['thing'];
or a number
thing = (int)$_GET['thing'];
3) To print a $_GET[] variable, I would:
echo "{$_GET['thing']}";
How is that??
-
Cruzado_Mainfrm
- Forum Contributor
- Posts: 346
- Joined: Sun Jun 15, 2003 11:22 pm
- Location: Miami, FL
-
Cruzado_Mainfrm
- Forum Contributor
- Posts: 346
- Joined: Sun Jun 15, 2003 11:22 pm
- Location: Miami, FL
Check out the php manual: "Predefined Variables" for more about GET, POST etc.
You don't need to:
echo "{$_SERVER['PHP_SELF']}";
instead:
echo $_SERVER['PHP_SELF'];
To avoid ambiguities with current or future constants, single quotes should always be used when referring to an array key:
$_GET['var']
I'd recommend that you always dot concatenate strings & vars. It avoids niggling problems and makes the code clearer, eg:
"SELECT col FROM table WHERE col='" . $_GET['var'] . "'";
But never put unprocessed user input into a query! You must either:
(a) escape strings (mysql_escape_string or addslashes) or
(b) force numeric type (intval) on numbers.
(c) Also, always single-quote $vars used to set col values.
http://www.securereality.com.au/studyinscarlet.txt
http://www.sklar.com/page/article/owasp-top-ten
You don't need to:
echo "{$_SERVER['PHP_SELF']}";
instead:
echo $_SERVER['PHP_SELF'];
To avoid ambiguities with current or future constants, single quotes should always be used when referring to an array key:
$_GET['var']
I'd recommend that you always dot concatenate strings & vars. It avoids niggling problems and makes the code clearer, eg:
"SELECT col FROM table WHERE col='" . $_GET['var'] . "'";
But never put unprocessed user input into a query! You must either:
(a) escape strings (mysql_escape_string or addslashes) or
(b) force numeric type (intval) on numbers.
(c) Also, always single-quote $vars used to set col values.
http://www.securereality.com.au/studyinscarlet.txt
http://www.sklar.com/page/article/owasp-top-ten