PHP superglobals (was: [prog] PHP newbieness)

Dan Richter daniel.richter at wimba.com
Wed Nov 6 12:00:20 EST 2002


Whoa, this change to PHP scares me! I've been spending the last year 
referring to the PHP documentation we downloaded for use locally, so this 
change kind of takes me by surprise.

Do you still have to call StripSlashes on the values of these new 
"superglobal" arrays? I always thought it was silly to have to call 
StripSlashes on form variables.

Now, let me see if I understand why this new method is safer. Consider the 
following code:
   if ( $answer == 'George Washington' )
     $userIsRight = TRUE;
   if ( $userIsRight )
     GiveUserThePrize();
   else
     echo 'Better luck next time!';
Because $userIsRight is never intialized, it is false by default. But a 
clever user could access the page with $userIsRight specified on the URL 
query line (or in a modified HTML form if it's POSTed) and thus win the 
prize without guessing the right answer.

It doesn't seem like a terrible security risk to me, but I suppose it's 
good to avoid that risk nevertheless.

========== Dan Richter ============== mailto:Dan at wimba.com ===========
     Only a virtuous people are capable of freedom. As nations
     become corrupt and vicious, they have more need of masters.
             - Benjamin Franklin




More information about the Programming mailing list