Thread: Beginning PHP4
View Single Post
  #2 (permalink)  
Old June 25th, 2003, 03:15 PM
Daniel Walker Daniel Walker is offline
Friend of Wrox
Join Date: Jun 2003
Posts: 256
Thanks: 0
Thanked 0 Times in 0 Posts

THe book was written before REgister_globals was switched off by default in modern PHP installations. Register_globals used to make POST and GET variables sent by a form (or just inseerted into the URL by server side scripts) available by default in the page that recieved them (the page declared as the 'action', of a form, if it was a form that sent them, for instance).

This is often sited as a security vulnerability, but in actual fact it simply led to some slightly careless coding which _in_ _turn_ could act as a security vulnerability. Register_globals has defaulted to 'off' in all versions since 4.1, as a result.

This emans that values passed in the header or URL are no longer available in the recieving page by default, but have, instead, to be directly referenced by pulling their vaules from either the $HTTP_POST_VARS and $HTTP_GET_VARS arrays, via a call such as:

$action = $HTTP_GET_VARS['action'];

Or (preferably, from the point of view of forwards-copatability) the so-called super-global arrays - namely the $_POST and %_GET arrays - i.e.:

$action = $_GET['action'];

(FWIW, this diirecvtly equates to the ASP way of invokng the Response iobject to pull out values from its querystring array - without any of the overhead of invoking an enntire object to do so.)

So, assuming, $action is GET'ed (got?) from the page that sent it (I hacven't a copy handy, I'm afraid, so I can't say), either of the variants above will work, if you insert them at sme stage before the first reference to the $action variable.

Daniel Walker
(Ex Wrox)
Reply With Quote