treefrog
12-30-2002, 01:28 PM
if globals are set to "off" (which is set that way by default on newer versions of PHP), you have to modify the script. Having globals set to on isn't necessarily bad, but...it's better to write your scripts to accomodate this. Here's an example:
old way:
if (!$variable) $variable = "something";
better (and more secure) way:
if (!isset($_GET['variable'])) {
$variable = "something";
} else {
$variable = $_GET['variable'];
}
Although this makes the code bigger, it's more secure because it helps to prevent a malicious user from passing stuff to your script via a form or something. You can even go further by validating the data that's in the URL by checking what type of data is being sent (to add more security) like this:
if (isset($_GET['uc'])) {
if (is_numeric($_GET['uc'])) {
$uc = $_GET['uc'];
} else {
$uc = 0;
}
} else {
$uc = 0;
}
This is more of a suggestion than a bug, but I am having to re-do a bunch of the code so that it will work with register_globals = off in my php.ini
Treefrog
old way:
if (!$variable) $variable = "something";
better (and more secure) way:
if (!isset($_GET['variable'])) {
$variable = "something";
} else {
$variable = $_GET['variable'];
}
Although this makes the code bigger, it's more secure because it helps to prevent a malicious user from passing stuff to your script via a form or something. You can even go further by validating the data that's in the URL by checking what type of data is being sent (to add more security) like this:
if (isset($_GET['uc'])) {
if (is_numeric($_GET['uc'])) {
$uc = $_GET['uc'];
} else {
$uc = 0;
}
} else {
$uc = 0;
}
This is more of a suggestion than a bug, but I am having to re-do a bunch of the code so that it will work with register_globals = off in my php.ini
Treefrog