PHP superglobals (was: [prog] PHP newbieness)
Dan Richter
daniel.richter at wimba.com
Wed Nov 6 12:00:20 EST 2002
Whoa, this change to PHP scares me! I've been spending the last year
referring to the PHP documentation we downloaded for use locally, so this
change kind of takes me by surprise.
Do you still have to call StripSlashes on the values of these new
"superglobal" arrays? I always thought it was silly to have to call
StripSlashes on form variables.
Now, let me see if I understand why this new method is safer. Consider the
following code:
if ( $answer == 'George Washington' )
$userIsRight = TRUE;
if ( $userIsRight )
GiveUserThePrize();
else
echo 'Better luck next time!';
Because $userIsRight is never intialized, it is false by default. But a
clever user could access the page with $userIsRight specified on the URL
query line (or in a modified HTML form if it's POSTed) and thus win the
prize without guessing the right answer.
It doesn't seem like a terrible security risk to me, but I suppose it's
good to avoid that risk nevertheless.
========== Dan Richter ============== mailto:Dan at wimba.com ===========
Only a virtuous people are capable of freedom. As nations
become corrupt and vicious, they have more need of masters.
- Benjamin Franklin
More information about the Programming
mailing list