Arrays and faking

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
9902468
Forum Commoner
Posts: 89
Joined: Thu Jun 06, 2002 6:39 am
Location: Europe

Arrays and faking

Post by 9902468 »

If I make an array like this:

$variable = array(value -> 3);

can I be absolutely sure that users cannot fake this via get or post? Can I count on that? Atleast like this it does'nt work:
page.php?variable=3

If someone could answer what one thinks?

Also I could make class and write a get_value method for that class. That cannot be faked I hope?

Thanks.
jason
Site Admin
Posts: 1767
Joined: Thu Apr 18, 2002 3:14 pm
Location: Montreal, CA
Contact:

Post by jason »

Basically, as long as YOU set a value for a variable BEFORE really using it, you are safe.

Set

Code: Select all

error_reporting(E_ALL);
at the top of all your scripts to correct all these potential security holes.

But yes, doing:

Code: Select all

$variable = array('value' => 3);
Would mean even if the user set $variable in the URL, it would be overwritten here.

You can also go about setting register_globals to off in your php.ini, and simply use the $_GET and $_POST arrays to make your life easier.
User avatar
9902468
Forum Commoner
Posts: 89
Joined: Thu Jun 06, 2002 6:39 am
Location: Europe

Post by 9902468 »

If i set register_globals off can I use links like these anymore?

<a href='page.php?directive=something'>see all something</a>

PS. how can I use Code, Quote etc. does not seem to work?
User avatar
twigletmac
Her Royal Site Adminness
Posts: 5371
Joined: Tue Apr 23, 2002 2:21 am
Location: Essex, UK

Post by twigletmac »

Yes you can use variables from a URL's query string with register_globals off by accessing them with the $_GET array.

If you had www.yourdomain.com/page.php?directive=something you could access the directive variable like so,

Code: Select all

$_GET&#1111;'directive']
Check out this thread for more information: http://www.devnetwork.net/forums/viewtopic.php?t=511

For information on using the BBCode (code, quote etc.) try the forum FAQs:
http://www.devnetwork.net/forums/faq.php?mode=bbcode

Mac
User avatar
9902468
Forum Commoner
Posts: 89
Joined: Thu Jun 06, 2002 6:39 am
Location: Europe

Post by 9902468 »

thanks for info.

-I'll be back...

('cause there's so much to learn.)
Post Reply