Newbie question on superglobal variables

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
charp
Forum Commoner
Posts: 85
Joined: Sun Oct 26, 2003 3:00 pm
Location: Rancho Cucamonga, Calif. USA

Newbie question on superglobal variables

Post by charp »

Newbie here trying to learn the basics. Three questions...

Question #1
I understand there is a security issue with register_globals and the solution is to use superglobals such as $_POST['name'].

Since that's a handful to type each time I use that variable, I was wondering if there's any security risk to using the following:

Code: Select all

$name = $_POSTї'name'];
I figure this conversion back to a regular (?) variable would save me some time and trouble as I continue to use the variable $name throughout a page.

Question #2
The manner in which superglobals increase security escapes me. I've read about someone guessing the variable name, setting it to TRUE, and bypassing the security of your pages. How, exactly, does using $_POST['name'] provide security for guessing variable names when $name doesn't?

Question #3
In MySQL, a single database can hold a very large number of tables. What are the trade offs of using separate databases with individual tables versus using several tables on a single database? Speed, security? I'm just looking for a general answer here.

Thanks to those who are sure to help out here. This forum has been one of the best I've ever joined.
User avatar
scorphus
Forum Regular
Posts: 589
Joined: Fri May 09, 2003 11:53 pm
Location: Belo Horizonte, Brazil
Contact:

Re: Newbie question on superglobal variables

Post by scorphus »

charp wrote:Question #1
I understand there is a security issue with register_globals and the solution is to use superglobals such as $_POST['name'].

Since that's a handful to type each time I use that variable, I was wondering if there's any security risk to using the following:

Code: Select all

$name = $_POSTї'name'];
I figure this conversion back to a regular (?) variable would save me some time and trouble as I continue to use the variable $name throughout a page.
I'll try to help you with #1 first. If you feel comfortable with doing $name= $_POST['name'], just do it, there is no security risk. With PHP editors now coming with code-completing features, typing becomes not too handful when it becomes to write $_POST[''].

Take a look to [php_man]import_request_variables[/php_man] function.

Cheers,
Scorphus.
User avatar
JayBird
Admin
Posts: 4524
Joined: Wed Aug 13, 2003 7:02 am
Location: York, UK
Contact:

Post by JayBird »

for your post and get variable you can also do this

Code: Select all

extract($_POST);
extract($_GET);

print $name;

Pretty certain there isn't any speed issues with your MySQL question, it is all down to the design of the database(s).

Mark
User avatar
twigletmac
Her Royal Site Adminness
Posts: 5371
Joined: Tue Apr 23, 2002 2:21 am
Location: Essex, UK

Post by twigletmac »

In some situations, using extract() is pretty much the same thing as having register_globals on, because you are not controlling the variables coming into your script someone could set something in the URL which overwrites another of your variables.

By doing

Code: Select all

$name = $_POST['name'];
you are ensuring the the value of $name was posted via a form and hasn't been spoofed from the URL for instance. The added security will depend entirely on what type of application you are writing - a login script needs to be more sure of where variables are coming from than a feedback form in general.

The other bonus of doing $name = $_POST['name'] is that weeks/months/years down the line, you know that $name came from a posted form, not from the URL, a cookie or somewhere else and that makes debugging many times easier.

My £0.02

Mac
User avatar
charp
Forum Commoner
Posts: 85
Joined: Sun Oct 26, 2003 3:00 pm
Location: Rancho Cucamonga, Calif. USA

Post by charp »

Thanks to all who replied. Your comments were helpful and appreciated.

I will, without a doubt, return with more questions...
Post Reply