Page 1 of 1

Arrays and faking

Posted: Thu Jun 06, 2002 6:39 am
by 9902468
If I make an array like this:

$variable = array(value -> 3);

can I be absolutely sure that users cannot fake this via get or post? Can I count on that? Atleast like this it does'nt work:
page.php?variable=3

If someone could answer what one thinks?

Also I could make class and write a get_value method for that class. That cannot be faked I hope?

Thanks.

Posted: Thu Jun 06, 2002 6:46 am
by jason
Basically, as long as YOU set a value for a variable BEFORE really using it, you are safe.

Set

Code: Select all

error_reporting(E_ALL);
at the top of all your scripts to correct all these potential security holes.

But yes, doing:

Code: Select all

$variable = array('value' => 3);
Would mean even if the user set $variable in the URL, it would be overwritten here.

You can also go about setting register_globals to off in your php.ini, and simply use the $_GET and $_POST arrays to make your life easier.

Posted: Thu Jun 06, 2002 7:08 am
by 9902468
If i set register_globals off can I use links like these anymore?

<a href='page.php?directive=something'>see all something</a>

PS. how can I use Code, Quote etc. does not seem to work?

Posted: Thu Jun 06, 2002 7:17 am
by twigletmac
Yes you can use variables from a URL's query string with register_globals off by accessing them with the $_GET array.

If you had www.yourdomain.com/page.php?directive=something you could access the directive variable like so,

Code: Select all

$_GET&#1111;'directive']
Check out this thread for more information: http://www.devnetwork.net/forums/viewtopic.php?t=511

For information on using the BBCode (code, quote etc.) try the forum FAQs:
http://www.devnetwork.net/forums/faq.php?mode=bbcode

Mac

Posted: Thu Jun 06, 2002 7:26 am
by 9902468
thanks for info.

-I'll be back...

('cause there's so much to learn.)