Page 1 of 1

Variable Origins

Posted: Thu Apr 01, 2004 4:29 pm
by randomblink
Ok...
I have been playing this PHP-Based game and I have found out that it is possible to manipulate the game by passing variables through the URL. I am working on my own game that I want to base on PHP and I have to ask...

How do you tell if a variable was sent via a form? Or via a URL?
Is there a way?

Posted: Thu Apr 01, 2004 4:45 pm
by d3ad1ysp0rk
$_GET['var'] = url
$_POST['var'] = form

Posted: Thu Apr 01, 2004 4:46 pm
by dull1554
there really is no way to tell, especially if your talking about the query string (get array)

Posted: Thu Apr 01, 2004 4:56 pm
by d3ad1ysp0rk
umm.. if you read closer i think he means in general, which $_POST would work

just turn off register globals.

Posted: Thu Apr 01, 2004 5:13 pm
by dull1554
u can still send post data in other ways other then forums

Posted: Thu Apr 01, 2004 8:23 pm
by d3ad1ysp0rk
yes, such as a form ;)

$_POST data is only from forms.. unless they lied to me since the beggining..

i knew they were out to get me.. why didn't i see it earlier.. :x..

Posted: Thu Apr 01, 2004 8:27 pm
by tim
you were tooooooo busy eating them slim-jims

:lol:

Posted: Thu Apr 01, 2004 8:28 pm
by d3ad1ysp0rk
SNAP INTO A SLIM JIM!!!

Image

Posted: Thu Apr 01, 2004 8:32 pm
by tim
haha.

speak of such and such shall appear! But I am not following dull here.

genericly speaking, POST was meant to be mated with forms, GET was meant to be mated with vars in the URL.

But chipmunks are beasts that are know to hump anything, even a turtle.

so there are flexes, of course.

Over-all general'ness, I will back punk 100%

Posted: Thu Apr 01, 2004 9:03 pm
by d3ad1ysp0rk
I know get can be used in forms too, but I thought Post was ONLY for forms.. a way of making sure it was secure..

Maybe I'm mistaken, but I'm 99% sure about this :P

Maybe dull misunderstood me or something?

Re: Variable Origins

Posted: Fri Apr 02, 2004 2:55 am
by twigletmac
randomblink wrote:Ok...
I have been playing this PHP-Based game and I have found out that it is possible to manipulate the game by passing variables through the URL.
And people wonder why register_globals should be disabled lol. Basically as others have said, the way to work around this is to ensure that you use the correct superglobal array so that session variables, cookie variables and post variables cannot be overwritten by url values.

Mac

twigletmac

Posted: Fri Apr 02, 2004 8:31 am
by randomblink
Alright...
You say register_globals should disabled?
Please explain...

Am I to understand you correctly?
If I disable register_globals then my vars won't be overwritten by the URL values?

Please tell me more...!
Thanks...

Posted: Fri Apr 02, 2004 8:43 am
by twigletmac
If you disable register_globals then you have to use the superglobal arrays - $_POST, $_GET, $_SESSION and $_COOKIE, so a value in $_POST cannot be overwritten by one in $_GET, one in $_SESSION can't be overwritten by one in $_GET. You also look at your code and know exactly where you expect data to come from.

Mac