Page 2 of 2

Posted: Tue Oct 07, 2003 8:14 pm
by qads
yes and no, yes cos its working NO cos its not safe...use my example above ^^^

Posted: Tue Oct 07, 2003 8:14 pm
by tsg
Oh, and one more thing (after you answer my question of course) ... Check out Grown up Britney ... WOOWWWEEEEEE

http://www.esquire.com/women/gallery/03 ... frame.html

Posted: Tue Oct 07, 2003 8:15 pm
by Cruzado_Mainfrm
when u use superglobals(aka $_SERVER, $_GET, $_POST, $_COOKIE, ETC) you must append { and } outside the variable, example:

echo "{$_SERVER['PHP_SELF']}";

a side note, i dunno if it's obligatory to use single quotes when working with arrays, but i think that's the best way to do it, as a nice and clean manner

Posted: Tue Oct 07, 2003 8:23 pm
by tsg
You guys are killing me here ...

So, is this correct and SAFE:
1) $_GET[] ONLY for variables coming from the URL? (with the exception of a get form, which I don't usually do).

2) Before using the $_GET[] valriable in a database query, change it (in a since) to:

thing = $_GET['thing'];

or a number
thing = (int)$_GET['thing'];

3) To print a $_GET[] variable, I would:
echo "{$_GET['thing']}";

How is that??

Posted: Tue Oct 07, 2003 8:25 pm
by Cruzado_Mainfrm
if you include arrays in string u have to add braces only

Posted: Tue Oct 07, 2003 8:29 pm
by Paddy
if you have done

$thing = $_GET['thing'];

then to echo

echo $thing;

Posted: Tue Oct 07, 2003 8:32 pm
by Cruzado_Mainfrm
yep, that's better

Posted: Tue Oct 07, 2003 9:32 pm
by McGruff
Check out the php manual: "Predefined Variables" for more about GET, POST etc.

You don't need to:

echo "{$_SERVER['PHP_SELF']}";

instead:

echo $_SERVER['PHP_SELF'];

To avoid ambiguities with current or future constants, single quotes should always be used when referring to an array key:

$_GET['var']

I'd recommend that you always dot concatenate strings & vars. It avoids niggling problems and makes the code clearer, eg:

"SELECT col FROM table WHERE col='" . $_GET['var'] . "'";

But never put unprocessed user input into a query! You must either:
(a) escape strings (mysql_escape_string or addslashes) or
(b) force numeric type (intval) on numbers.
(c) Also, always single-quote $vars used to set col values.

http://www.securereality.com.au/studyinscarlet.txt
http://www.sklar.com/page/article/owasp-top-ten