automatic GET ['var']??

Discussion in 'PHP' started by Davidf25sc, Oct 22, 2006.

0
  1. #1
    Hey, i'm relatively new to php and i noticed something on some php pages i saw, for example you open http:...../showvar.php?var=asdf

    But when i see the showvar.php code you see something like

    some code....
    $whatever = dosomething_with($var);
    more code....

    But there is no $var = $_GET['var']; anywhere!, so my guess is that they use some sorf of automatig GET ? so that the $var gets its value automatically from the http:...../showvar.php?var=asdf line... how do they do this? is it a .htaccess trick? something you do with your host cpanel? or what?

    Thanks for your help.
    David.
     
    Davidf25sc, Oct 22, 2006 IP
  2. T0PS3O

    T0PS3O Feel Good PLC

    Messages:
    13,219
    Likes Received:
    777
    Best Answers:
    0
    Trophy Points:
    0
    #2
    Could indeed be htaccess trickery - rewriting the URL but more likely the server in question has REGISTER GLOBALS on, meaning exactly what you described, you can grab variables with the $_GET or $_POST.
     
    T0PS3O, Oct 22, 2006 IP
  3. Davidf25sc

    Davidf25sc Active Member

    Messages:
    165
    Likes Received:
    2
    Best Answers:
    0
    Trophy Points:
    53
    #3
    Yep, REGISTER GLOBALS ON is the trick, thank you very much mate.
     
    Davidf25sc, Oct 22, 2006 IP
  4. streety

    streety Peon

    Messages:
    321
    Likes Received:
    15
    Best Answers:
    0
    Trophy Points:
    0
    #4
    You need to be careful if you have register globals turned on as they are a common security vulnerability. If you do have them turned on you need to make sure that you clear any variable before you use it. So for example,

    
//private_var hasn't been used yet
$private_var = 0;

//private_var is used
    PHP:
    You're much better just not using register globals and using the superglobal arrays such as $_GET , $_POST, and $_SERVER, etc. Register globals have been turned off by default since PHP 4.2.0 becuase it was so frequently a source of insecure code.
     
    streety, Oct 22, 2006 IP
  5. Borghunter

    Borghunter Well-Known Member

    Messages:
    212
    Likes Received:
    3
    Best Answers:
    0
    Trophy Points:
    110
    #5
    There are quite a few globals like $_POST or $_GET. Another one is $_REQUEST which is both of them toghether, so no matter if it's in the url or posted it will be used.
     
    Borghunter, Oct 22, 2006 IP
  6. Davidf25sc

    Davidf25sc Active Member

    Messages:
    165
    Likes Received:
    2
    Best Answers:
    0
    Trophy Points:
    53
    #6
    The problem is that this whole site is made so that the use of globals is mandatory, i would have to change too many things to make it work with $_GET or something else, thank you streety for your comment, i will take that in mind.
     
    Davidf25sc, Oct 22, 2006 IP
  7. Chemo

    Chemo Peon

    Messages:
    146
    Likes Received:
    8
    Best Answers:
    0
    Trophy Points:
    0
    #7
    A work around would be something like this:
    
	/* 
	 * Define global extraction in order -> i.e. - standard GPC
	 */
	$extract = array('_GET', '_POST', '_COOKIE');
	
	/*
	 * Extract the globals
	 * !!!!!!!!!!
	 * You should probably sanitize values here
	 * !!!!!!!!!!
	 * Did I mention to sanitize values?
	 */
	foreach( array_values($extract) as $global ){
		extract($$global);
	}
    PHP:
    Did I mention to sanitize values?? :)

    Bobby
     
    Chemo, Oct 22, 2006 IP