If I make an array like this:
$variable = array(value -> 3);
can I be absolutely sure that users cannot fake this via get or post? Can I count on that? Atleast like this it does'nt work:
page.php?variable=3
If someone could answer what one thinks?
Also I could make class and write a get_value method for that class. That cannot be faked I hope?
Thanks.
Arrays and faking
Moderator: General Moderators
Basically, as long as YOU set a value for a variable BEFORE really using it, you are safe.
Set at the top of all your scripts to correct all these potential security holes.
But yes, doing:
Would mean even if the user set $variable in the URL, it would be overwritten here.
You can also go about setting register_globals to off in your php.ini, and simply use the $_GET and $_POST arrays to make your life easier.
Set
Code: Select all
error_reporting(E_ALL);But yes, doing:
Code: Select all
$variable = array('value' => 3);You can also go about setting register_globals to off in your php.ini, and simply use the $_GET and $_POST arrays to make your life easier.
- twigletmac
- Her Royal Site Adminness
- Posts: 5371
- Joined: Tue Apr 23, 2002 2:21 am
- Location: Essex, UK
Yes you can use variables from a URL's query string with register_globals off by accessing them with the $_GET array.
If you had www.yourdomain.com/page.php?directive=something you could access the directive variable like so,
Check out this thread for more information: http://www.devnetwork.net/forums/viewtopic.php?t=511
For information on using the BBCode (code, quote etc.) try the forum FAQs:
http://www.devnetwork.net/forums/faq.php?mode=bbcode
Mac
If you had www.yourdomain.com/page.php?directive=something you could access the directive variable like so,
Code: Select all
$_GETї'directive']For information on using the BBCode (code, quote etc.) try the forum FAQs:
http://www.devnetwork.net/forums/faq.php?mode=bbcode
Mac