Page 1 of 1

Eliminatng $_GET

Posted: Fri Aug 19, 2005 12:09 pm
by nielsene
I'm working on a script, where I would like to completely eliminate the $_GET superglobal. I tried an

Code: Select all

unset($_GET);
but isset($_GET) still returns true after it. Any ideas?

Posted: Fri Aug 19, 2005 3:02 pm
by anjanesh
All this time I thought the super globals are owned by the PHP compiler (or whatever) and we have no control over the array name ($_GET, $_POST etc).

Re: Eliminatng $_GET

Posted: Fri Aug 19, 2005 3:09 pm
by protokol
nielsene wrote:I'm working on a script, where I would like to completely eliminate the $_GET superglobal. I tried an

Code: Select all

unset($_GET);
but isset($_GET) still returns true after it. Any ideas?
Why in the sweet hell do you care if $_GET is there?

Posted: Fri Aug 19, 2005 3:12 pm
by nielsene
Because earlier another variable captures and cleanses the superglobals. I do not wish other developers to bypass the security by directly accessing the superglobals. Nor do I want the developer to even think about trying to pull in values from outside the current scope.

Once I've captured them, eliminating them is the best protection.

Posted: Fri Aug 19, 2005 5:13 pm
by feyd
odd, these work for me (both called with script.php?test=1)

Code: Select all

<?php

echo '<pre>before
'.htmlentities(var_export($_GET,true)).'</pre>';
unset($_GET);
echo '<pre>after
'.htmlentities(var_export($_GET,true)).'</pre>';

?>
output

Code: Select all

before
array (
  'test' => '1',
)


Notice: Undefined variable: _GET in W:\web\test.php on line 7

after
NULL
and

Code: Select all

<?php

echo '<pre>before
'.htmlentities(var_export($_GET,true)).'</pre>';
foreach($_GET as $k => $v)
{
  unset($_GET[$k]);
}
echo '<pre>after
'.htmlentities(var_export($_GET,true)).'</pre>';

?>
output

Code: Select all

before
array (
  'test' => '1',
)

after
array (
)

php 5.0.4

Posted: Fri Aug 19, 2005 5:31 pm
by nielsene
Interesting... Those work for me as well, but:

Code: Select all

<?php
function killGet() {
  unset($_GET);
}
echo '<pre>before
'.htmlentities(var_export($_GET,true)).'</pre>';
killGet();
echo '<pre>after
'.htmlentities(var_export($_GET,true)).'</pre>';
?>
doesn't worrk. So it looks like you can only unset them from the script scope. Inside a function ot a class it fails. Passing the array by reference into the killGet also failed. (And yes I already used the foreach unset() workaround)

Posted: Fri Aug 19, 2005 5:36 pm
by feyd
interesting... there must be some hidden variable passing done in the "background" that would make scope level changes potentially do nothing.. could that technically be a bug, since they aren't write protected? :)

Posted: Fri Aug 19, 2005 5:43 pm
by nielsene
Ahh, but $_GET=array(); inside a function does work and without the overhead of the loop.

Posted: Sun Aug 21, 2005 8:55 pm
by harrisonad
Running websites are always a risk, and we are the security personel. We are the one defining the meaning of the word 'secured'.

Posted: Sun Aug 21, 2005 11:27 pm
by McGruff
I'd maybe suggest keeping a copy of the raw input somewhere (if you haven't already). If you show submitted values in a redisplayed form, it's probably more user-friendly to use the exact text which they entered to avoid possible problems such as an error message complaining about an invalid value which has, confusingly, been echo'd back to the form as a valid, filtered value.

Posted: Mon Aug 22, 2005 9:26 am
by nielsene
I do keep a copy around, however once the Request has "internalized" the superglobals, no other part of the script is allowed to access them. This restriction is only made possible by removing all keys/values from the superglobals.