Page 2 of 2
Posted: Tue Oct 07, 2003 8:14 pm
by qads
yes and no, yes cos its working NO cos its not safe...use my example above ^^^
Posted: Tue Oct 07, 2003 8:14 pm
by tsg
Oh, and one more thing (after you answer my question of course) ... Check out Grown up Britney ... WOOWWWEEEEEE
http://www.esquire.com/women/gallery/03 ... frame.html
Posted: Tue Oct 07, 2003 8:15 pm
by Cruzado_Mainfrm
when u use superglobals(aka $_SERVER, $_GET, $_POST, $_COOKIE, ETC) you must append { and } outside the variable, example:
echo "{$_SERVER['PHP_SELF']}";
a side note, i dunno if it's obligatory to use single quotes when working with arrays, but i think that's the best way to do it, as a nice and clean manner
Posted: Tue Oct 07, 2003 8:23 pm
by tsg
You guys are killing me here ...
So, is this correct and SAFE:
1) $_GET[] ONLY for variables coming from the URL? (with the exception of a get form, which I don't usually do).
2) Before using the $_GET[] valriable in a database query, change it (in a since) to:
thing = $_GET['thing'];
or a number
thing = (int)$_GET['thing'];
3) To print a $_GET[] variable, I would:
echo "{$_GET['thing']}";
How is that??
Posted: Tue Oct 07, 2003 8:25 pm
by Cruzado_Mainfrm
if you include arrays in string u have to add braces only
Posted: Tue Oct 07, 2003 8:29 pm
by Paddy
if you have done
$thing = $_GET['thing'];
then to echo
echo $thing;
Posted: Tue Oct 07, 2003 8:32 pm
by Cruzado_Mainfrm
yep, that's better
Posted: Tue Oct 07, 2003 9:32 pm
by McGruff
Check out the php manual: "Predefined Variables" for more about GET, POST etc.
You don't need to:
echo "{$_SERVER['PHP_SELF']}";
instead:
echo $_SERVER['PHP_SELF'];
To avoid ambiguities with current or future constants, single quotes should always be used when referring to an array key:
$_GET['var']
I'd recommend that you always dot concatenate strings & vars. It avoids niggling problems and makes the code clearer, eg:
"SELECT col FROM table WHERE col='" . $_GET['var'] . "'";
But never put unprocessed user input into a query! You must either:
(a) escape strings (mysql_escape_string or addslashes) or
(b) force numeric type (intval) on numbers.
(c) Also, always single-quote $vars used to set col values.
http://www.securereality.com.au/studyinscarlet.txt
http://www.sklar.com/page/article/owasp-top-ten