Page 1 of 1
Arrays and faking
Posted: Thu Jun 06, 2002 6:39 am
by 9902468
If I make an array like this:
$variable = array(value -> 3);
can I be absolutely sure that users cannot fake this via get or post? Can I count on that? Atleast like this it does'nt work:
page.php?variable=3
If someone could answer what one thinks?
Also I could make class and write a get_value method for that class. That cannot be faked I hope?
Thanks.
Posted: Thu Jun 06, 2002 6:46 am
by jason
Basically, as long as YOU set a value for a variable BEFORE really using it, you are safe.
Set
at the top of all your scripts to correct all these potential security holes.
But yes, doing:
Would mean even if the user set $variable in the URL, it would be overwritten here.
You can also go about setting register_globals to off in your php.ini, and simply use the $_GET and $_POST arrays to make your life easier.
Posted: Thu Jun 06, 2002 7:08 am
by 9902468
If i set register_globals off can I use links like these anymore?
<a href='page.php?directive=something'>see all something</a>
PS. how can I use Code, Quote etc. does not seem to work?
Posted: Thu Jun 06, 2002 7:17 am
by twigletmac
Yes you can use variables from a URL's query string with register_globals off by accessing them with the $_GET array.
If you had
www.yourdomain.com/page.php?directive=something you could access the directive variable like so,
Check out this thread for more information:
http://www.devnetwork.net/forums/viewtopic.php?t=511
For information on using the BBCode (code, quote etc.) try the forum FAQs:
http://www.devnetwork.net/forums/faq.php?mode=bbcode
Mac
Posted: Thu Jun 06, 2002 7:26 am
by 9902468
thanks for info.
-I'll be back...
('cause there's so much to learn.)