Variable Origins

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
randomblink
Forum Commoner
Posts: 51
Joined: Wed Jan 28, 2004 11:27 am
Location: Tulsa, Oklahoma, just this side of hell...
Contact:

Variable Origins

Post by randomblink »

Ok...
I have been playing this PHP-Based game and I have found out that it is possible to manipulate the game by passing variables through the URL. I am working on my own game that I want to base on PHP and I have to ask...

How do you tell if a variable was sent via a form? Or via a URL?
Is there a way?
d3ad1ysp0rk
Forum Donator
Posts: 1661
Joined: Mon Oct 20, 2003 8:31 pm
Location: Maine, USA

Post by d3ad1ysp0rk »

$_GET['var'] = url
$_POST['var'] = form
User avatar
dull1554
Forum Regular
Posts: 680
Joined: Sat Nov 22, 2003 11:26 am
Location: 42:21:35.359N, 76:02:20.688W

Post by dull1554 »

there really is no way to tell, especially if your talking about the query string (get array)
d3ad1ysp0rk
Forum Donator
Posts: 1661
Joined: Mon Oct 20, 2003 8:31 pm
Location: Maine, USA

Post by d3ad1ysp0rk »

umm.. if you read closer i think he means in general, which $_POST would work

just turn off register globals.
User avatar
dull1554
Forum Regular
Posts: 680
Joined: Sat Nov 22, 2003 11:26 am
Location: 42:21:35.359N, 76:02:20.688W

Post by dull1554 »

u can still send post data in other ways other then forums
d3ad1ysp0rk
Forum Donator
Posts: 1661
Joined: Mon Oct 20, 2003 8:31 pm
Location: Maine, USA

Post by d3ad1ysp0rk »

yes, such as a form ;)

$_POST data is only from forms.. unless they lied to me since the beggining..

i knew they were out to get me.. why didn't i see it earlier.. :x..
User avatar
tim
DevNet Resident
Posts: 1165
Joined: Thu Feb 12, 2004 7:19 pm
Location: ohio

Post by tim »

you were tooooooo busy eating them slim-jims

:lol:
d3ad1ysp0rk
Forum Donator
Posts: 1661
Joined: Mon Oct 20, 2003 8:31 pm
Location: Maine, USA

Post by d3ad1ysp0rk »

SNAP INTO A SLIM JIM!!!

Image
User avatar
tim
DevNet Resident
Posts: 1165
Joined: Thu Feb 12, 2004 7:19 pm
Location: ohio

Post by tim »

haha.

speak of such and such shall appear! But I am not following dull here.

genericly speaking, POST was meant to be mated with forms, GET was meant to be mated with vars in the URL.

But chipmunks are beasts that are know to hump anything, even a turtle.

so there are flexes, of course.

Over-all general'ness, I will back punk 100%
d3ad1ysp0rk
Forum Donator
Posts: 1661
Joined: Mon Oct 20, 2003 8:31 pm
Location: Maine, USA

Post by d3ad1ysp0rk »

I know get can be used in forms too, but I thought Post was ONLY for forms.. a way of making sure it was secure..

Maybe I'm mistaken, but I'm 99% sure about this :P

Maybe dull misunderstood me or something?
User avatar
twigletmac
Her Royal Site Adminness
Posts: 5371
Joined: Tue Apr 23, 2002 2:21 am
Location: Essex, UK

Re: Variable Origins

Post by twigletmac »

randomblink wrote:Ok...
I have been playing this PHP-Based game and I have found out that it is possible to manipulate the game by passing variables through the URL.
And people wonder why register_globals should be disabled lol. Basically as others have said, the way to work around this is to ensure that you use the correct superglobal array so that session variables, cookie variables and post variables cannot be overwritten by url values.

Mac
randomblink
Forum Commoner
Posts: 51
Joined: Wed Jan 28, 2004 11:27 am
Location: Tulsa, Oklahoma, just this side of hell...
Contact:

twigletmac

Post by randomblink »

Alright...
You say register_globals should disabled?
Please explain...

Am I to understand you correctly?
If I disable register_globals then my vars won't be overwritten by the URL values?

Please tell me more...!
Thanks...
User avatar
twigletmac
Her Royal Site Adminness
Posts: 5371
Joined: Tue Apr 23, 2002 2:21 am
Location: Essex, UK

Post by twigletmac »

If you disable register_globals then you have to use the superglobal arrays - $_POST, $_GET, $_SESSION and $_COOKIE, so a value in $_POST cannot be overwritten by one in $_GET, one in $_SESSION can't be overwritten by one in $_GET. You also look at your code and know exactly where you expect data to come from.

Mac
Post Reply