Page 1 of 1

Newbie question on superglobal variables

Posted: Tue Nov 11, 2003 1:48 pm
by charp
Newbie here trying to learn the basics. Three questions...

Question #1
I understand there is a security issue with register_globals and the solution is to use superglobals such as $_POST['name'].

Since that's a handful to type each time I use that variable, I was wondering if there's any security risk to using the following:

Code: Select all

$name = $_POSTї'name'];
I figure this conversion back to a regular (?) variable would save me some time and trouble as I continue to use the variable $name throughout a page.

Question #2
The manner in which superglobals increase security escapes me. I've read about someone guessing the variable name, setting it to TRUE, and bypassing the security of your pages. How, exactly, does using $_POST['name'] provide security for guessing variable names when $name doesn't?

Question #3
In MySQL, a single database can hold a very large number of tables. What are the trade offs of using separate databases with individual tables versus using several tables on a single database? Speed, security? I'm just looking for a general answer here.

Thanks to those who are sure to help out here. This forum has been one of the best I've ever joined.

Re: Newbie question on superglobal variables

Posted: Tue Nov 11, 2003 2:03 pm
by scorphus
charp wrote:Question #1
I understand there is a security issue with register_globals and the solution is to use superglobals such as $_POST['name'].

Since that's a handful to type each time I use that variable, I was wondering if there's any security risk to using the following:

Code: Select all

$name = $_POSTї'name'];
I figure this conversion back to a regular (?) variable would save me some time and trouble as I continue to use the variable $name throughout a page.
I'll try to help you with #1 first. If you feel comfortable with doing $name= $_POST['name'], just do it, there is no security risk. With PHP editors now coming with code-completing features, typing becomes not too handful when it becomes to write $_POST[''].

Take a look to [php_man]import_request_variables[/php_man] function.

Cheers,
Scorphus.

Posted: Tue Nov 11, 2003 2:47 pm
by JayBird
for your post and get variable you can also do this

Code: Select all

extract($_POST);
extract($_GET);

print $name;

Pretty certain there isn't any speed issues with your MySQL question, it is all down to the design of the database(s).

Mark

Posted: Wed Nov 12, 2003 4:44 am
by twigletmac
In some situations, using extract() is pretty much the same thing as having register_globals on, because you are not controlling the variables coming into your script someone could set something in the URL which overwrites another of your variables.

By doing

Code: Select all

$name = $_POST['name'];
you are ensuring the the value of $name was posted via a form and hasn't been spoofed from the URL for instance. The added security will depend entirely on what type of application you are writing - a login script needs to be more sure of where variables are coming from than a feedback form in general.

The other bonus of doing $name = $_POST['name'] is that weeks/months/years down the line, you know that $name came from a posted form, not from the URL, a cookie or somewhere else and that makes debugging many times easier.

My £0.02

Mac

Posted: Wed Nov 12, 2003 7:10 pm
by charp
Thanks to all who replied. Your comments were helpful and appreciated.

I will, without a doubt, return with more questions...