Re: [PHP] upgrade 4.1.2 to 4.2.2 (passing vars problem with 4.2.2) From: 1LT John W. Holmes (holmes072000 <email protected>)
Date: 07/22/02

> I notice the INSTALL file in 4.2.2 mentions that people "should write
> their scripts to work with this [register_globals] turned off". Based
> on what I've mentioned below, what can I do to conform to this statement
> made by the PHP authors? From what I know about programming, I am
> setting globals where appropriate already.. but apparently I am
> incorrect, since upgrading to 4.2.2 broke all my stuff unless I turn
> [register_globals] on. Any suggestions?

Keeping register_globals OFF simply gives you the opportunity to make less
mistakes in your code. When you have a link like
http://www.example.com/page.php?ID=1, reg_globals ON will create a variable
$ID that you can use in your script. The problem is, you don't know if it
came from the URL, a POSTed form, a COOKIE, or what. The second problem is
that if I use the variable $blah somewhere in my script, a malicious user
could pass a value of $blah through the URL, POST, or COOKIE, and create
problems in my code.

With reg_globals OFF, you have to access the variables in the $_GET, $_POST,
$_COOKIE, etc, arrays. $_GET['ID'] for the example above, tells you for sure
that the value came from the URL. Also, if I make a variable $blah somewhere
in my script, I know that the user can't affect it's value at all, even by
passing ?blah=foo in the URL.

So basically you should begin using the superglobal arrays $_GET, $_POST,
$_COOKIE, $_ENV, $_SERVER, and $_SESSION in your scripts...

HTH!

---John Holmes... 

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php