| Author |
parameters in URL not readable
|
|
| geoff.houdmont@gmail.com 2006-10-30, 7:04 pm |
| Hi,
I transfered one of my websites to another provider because I was asked
to do that.
The problem I have is it seems like the parameters after the ? are not
readable in the page.
Whereever I make an echo on that page there is nothing happening.
php 5.0.5 is on the server
Is there anyone who can help me?
Best regards,
Geoff
| |
|
| geoff.houdmont@gmail.com wrote:
> Hi,
>
> I transfered one of my websites to another provider because I was
> asked to do that.
> The problem I have is it seems like the parameters after the ? are not
> readable in the page.
> Whereever I make an echo on that page there is nothing happening.
> php 5.0.5 is on the server
>
> Is there anyone who can help me?
Check register_globals, and print_r($_GET).
Are they there?
--
Rik Wasmus
| |
| geoff.houdmont@gmail.com 2006-10-30, 7:04 pm |
|
>
> Check register_globals, and print_r($_GET).
> Are they there?
> --
> Rik Wasmus
Yes it is there.
Geoff
| |
|
|
|
|
|
| Geoff wrote:
> Rik wrote:
>
> Is there a way to get a fast solution?
> otherwise i have to change a lot.
I urge you to fix this, but in the mean while:
extract($_GET);
--
Rik Wasmus
| |
|
| >
> I urge you to fix this, but in the mean while:
> extract($_GET);
> --
> Rik Wasmus
What is the new way to do this?
I've read through the link you gave me but it isn't completely clear to
me.
Geoff
| |
|
| Geoff wrote:
> What is the new way to do this?
> I've read through the link you gave me but it isn't completely clear
> to me.
1. All variables from a GET request are in the $_GET-array. This will make
sure that they don't 'infect' used variables.
2. When using a $_GET variable, first make sure it's a type you expect.
(for instance:
$id = intval($_GET['id']);//make sure it's an integer
$name = preg_replace('/^[a-z0-9]/i','',$_GET['name']);//only
alphanumeric characters)
3. Use validated variables as you would like.
The main reason is that (sloppy) code with uninitialized variables can be
influenced with either GET or POST request resulting in unexpected and/or
undesireable results. Alwaus make sure you:
a: initiliaze all variables.
b: no outside variables are used for anything without a proper type-check
first.
--
Grtz,
Rik Wasmus
| |
|
| Thank you
Rik wrote:
> Geoff wrote:
>
> 1. All variables from a GET request are in the $_GET-array. This will make
> sure that they don't 'infect' used variables.
> 2. When using a $_GET variable, first make sure it's a type you expect.
> (for instance:
> $id = intval($_GET['id']);//make sure it's an integer
> $name = preg_replace('/^[a-z0-9]/i','',$_GET['name']);//only
> alphanumeric characters)
> 3. Use validated variables as you would like.
>
>
> The main reason is that (sloppy) code with uninitialized variables can be
> influenced with either GET or POST request resulting in unexpected and/or
> undesireable results. Alwaus make sure you:
> a: initiliaze all variables.
> b: no outside variables are used for anything without a proper type-check
> first.
> --
> Grtz,
>
> Rik Wasmus
| |
| Chuck Anderson 2006-10-30, 7:04 pm |
| Geoff wrote:
>
> What is the new way to do this?
> I've read through the link you gave me but it isn't completely clear to
> me.
>
> Geoff
>
>
Quick and dirty:
Use a text editor to include a script at the very beginning of every php
file:
<?php
include 'extractor.php';
?>
Put this in extractor.php
<?php
if (is_array($_GET))
{
foreach ($_GET as $xxkey => $xxvalue)
{
$$xxkey = $xxvalue;
}
}
?>
(Note: 'xx' is added to the var name to try and keep the var names
unique, otherwise, if you have passed a GET variable with the same name
($key or $value), it would be overwritten by the next iteration of the
foreach.)
This should get you working, but then I advise you to go back and add
some real injection prevention functions at the beginning of routines
that need them.
--
*****************************
Chuck Anderson • Boulder, CO
http://www.CycleTourist.com
*****************************
| |
| Colin Fine 2006-10-30, 7:04 pm |
| Chuck Anderson wrote:
> Geoff wrote:
> Quick and dirty:
>
> Use a text editor to include a script at the very beginning of every php
> file:
>
> <?php
> include 'extractor.php';
> ?>
>
> Put this in extractor.php
>
> <?php
> if (is_array($_GET))
> {
> foreach ($_GET as $xxkey => $xxvalue)
> {
> $$xxkey = $xxvalue;
> }
> }
> ?>
>
> (Note: 'xx' is added to the var name to try and keep the var names
> unique, otherwise, if you have passed a GET variable with the same name
> ($key or $value), it would be overwritten by the next iteration of the
> foreach.)
>
> This should get you working, but then I advise you to go back and add
> some real injection prevention functions at the beginning of routines
> that need them.
>
This looks to me like a clumsy way of emulating 'extract($_GET)', as
suggested by Rik. Are you claiming some advantage to doing it this way?
Colin
|
|
|
|