|  | Posted by Geoff on 10/25/06 19:58 
Thank you
 Rik wrote:
 > Geoff wrote:
 > >> I urge you to fix this, but in the mean while:
 > >> extract($_GET);
 > > What is the new way to do this?
 > > I've read through the link you gave me but it isn't completely clear
 > > to me.
 >
 > 1. All variables from a GET request are in the $_GET-array. This will make
 > sure that they don't 'infect' used variables.
 > 2. When using a $_GET variable, first make sure it's a type you expect.
 > (for instance:
 >     $id = intval($_GET['id']);//make sure it's an integer
 >     $name = preg_replace('/^[a-z0-9]/i','',$_GET['name']);//only
 > alphanumeric characters)
 > 3. Use validated variables as you would like.
 >
 >
 > The main reason is that (sloppy) code with uninitialized variables can be
 > influenced with either GET or POST request resulting in unexpected and/or
 > undesireable results. Alwaus make sure you:
 > a: initiliaze all variables.
 > b: no outside variables are used for anything without a proper type-check
 > first.
 > --
 > Grtz,
 >
 > Rik Wasmus
  Navigation: [Reply to this message] |