Eliminatng $_GET

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
nielsene
DevNet Resident
Posts: 1834
Joined: Fri Aug 16, 2002 8:57 am
Location: Watertown, MA

Eliminatng $_GET

Post by nielsene »

I'm working on a script, where I would like to completely eliminate the $_GET superglobal. I tried an

Code: Select all

unset($_GET);
but isset($_GET) still returns true after it. Any ideas?
User avatar
anjanesh
DevNet Resident
Posts: 1679
Joined: Sat Dec 06, 2003 9:52 pm
Location: Mumbai, India

Post by anjanesh »

All this time I thought the super globals are owned by the PHP compiler (or whatever) and we have no control over the array name ($_GET, $_POST etc).
User avatar
protokol
Forum Contributor
Posts: 353
Joined: Fri Jun 21, 2002 7:00 pm
Location: Cleveland, OH
Contact:

Re: Eliminatng $_GET

Post by protokol »

nielsene wrote:I'm working on a script, where I would like to completely eliminate the $_GET superglobal. I tried an

Code: Select all

unset($_GET);
but isset($_GET) still returns true after it. Any ideas?
Why in the sweet hell do you care if $_GET is there?
User avatar
nielsene
DevNet Resident
Posts: 1834
Joined: Fri Aug 16, 2002 8:57 am
Location: Watertown, MA

Post by nielsene »

Because earlier another variable captures and cleanses the superglobals. I do not wish other developers to bypass the security by directly accessing the superglobals. Nor do I want the developer to even think about trying to pull in values from outside the current scope.

Once I've captured them, eliminating them is the best protection.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

odd, these work for me (both called with script.php?test=1)

Code: Select all

<?php

echo '<pre>before
'.htmlentities(var_export($_GET,true)).'</pre>';
unset($_GET);
echo '<pre>after
'.htmlentities(var_export($_GET,true)).'</pre>';

?>
output

Code: Select all

before
array (
  'test' => '1',
)


Notice: Undefined variable: _GET in W:\web\test.php on line 7

after
NULL
and

Code: Select all

<?php

echo '<pre>before
'.htmlentities(var_export($_GET,true)).'</pre>';
foreach($_GET as $k => $v)
{
  unset($_GET[$k]);
}
echo '<pre>after
'.htmlentities(var_export($_GET,true)).'</pre>';

?>
output

Code: Select all

before
array (
  'test' => '1',
)

after
array (
)

php 5.0.4
User avatar
nielsene
DevNet Resident
Posts: 1834
Joined: Fri Aug 16, 2002 8:57 am
Location: Watertown, MA

Post by nielsene »

Interesting... Those work for me as well, but:

Code: Select all

<?php
function killGet() {
  unset($_GET);
}
echo '<pre>before
'.htmlentities(var_export($_GET,true)).'</pre>';
killGet();
echo '<pre>after
'.htmlentities(var_export($_GET,true)).'</pre>';
?>
doesn't worrk. So it looks like you can only unset them from the script scope. Inside a function ot a class it fails. Passing the array by reference into the killGet also failed. (And yes I already used the foreach unset() workaround)
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

interesting... there must be some hidden variable passing done in the "background" that would make scope level changes potentially do nothing.. could that technically be a bug, since they aren't write protected? :)
User avatar
nielsene
DevNet Resident
Posts: 1834
Joined: Fri Aug 16, 2002 8:57 am
Location: Watertown, MA

Post by nielsene »

Ahh, but $_GET=array(); inside a function does work and without the overhead of the loop.
User avatar
harrisonad
Forum Contributor
Posts: 288
Joined: Fri Oct 15, 2004 4:58 am
Location: Philippines
Contact:

Post by harrisonad »

Running websites are always a risk, and we are the security personel. We are the one defining the meaning of the word 'secured'.
McGruff
DevNet Master
Posts: 2893
Joined: Thu Jan 30, 2003 8:26 pm
Location: Glasgow, Scotland

Post by McGruff »

I'd maybe suggest keeping a copy of the raw input somewhere (if you haven't already). If you show submitted values in a redisplayed form, it's probably more user-friendly to use the exact text which they entered to avoid possible problems such as an error message complaining about an invalid value which has, confusingly, been echo'd back to the form as a valid, filtered value.
User avatar
nielsene
DevNet Resident
Posts: 1834
Joined: Fri Aug 16, 2002 8:57 am
Location: Watertown, MA

Post by nielsene »

I do keep a copy around, however once the Request has "internalized" the superglobals, no other part of the script is allowed to access them. This restriction is only made possible by removing all keys/values from the superglobals.
Post Reply