|
|
Posted by Hendri Kurniawan on 03/27/07 03:55
Jerry Stuckle wrote:
> Hendri Kurniawan wrote:
>> Jerry Stuckle wrote:
>>> Christoph Burschka wrote:
>>>> Jerry Stuckle wrote:
>>>>> Lo'oris wrote:
>>>>>> $name=$_GET['name'];
>>>>>> if (!$name)
>>>>>> $name="value";
>>>>>>
>>>>>> i can't figure out how to shorten this thing. Is there some kind of
>>>>>> operator i don't know about?
>>>>>>
>>>>> $name = isset($_GET['name']) ? $_GET['name'] : null;
>>>>>
>>>>> You should always test with isset() to see if a value passed to your
>>>>> page is set or not. Otherwise you will get a notice if you have them
>>>>> enabled.
>>>>>
>>>>
>>>> If setting multiple variables from $_GET, you can also try this:
>>>>
>>>> $parameters=array('name'=>"value",'example'=>"value1",'another'=>"value2");
>>>>
>>>> foreach ($parameters as $parameter=>$value)
>>>> {
>>>> $$parameter=$_GET[$parameter]?$_GET['parameter:$value;
>>>> }
>>>>
>>>
>>> Which is only slightly less dangerous than running with
>>> register_globals on. Someone can come in and set any variable in
>>> your script by setting it in the query string. And if you miss
>>> initializing a variable you've got a huge potential security breach.
>>>
>>> One reason register_globals is no longer enabled by default.
>>>
>>
>> Not really. It think it's a clever way to do it. Save you some coding
>> time.
>>
>> If you see, he only allows the variable in the parameter to be changed.
>>
>> But then again, it's only my oppinion.
>>
>> Hendri
>
> Not at all. I key in
>
> http://www.example.com?admin=1
>
> And now in your program $admin=1. And what if $admin is the variable
> which indicates I'm an admin?
>
> This effectively does exactly what register_globals does - just limits
> it to the $_GET variables.
>
Well in order to do that the $parameters variable have to include admin
is it.
Hendri
Navigation:
[Reply to this message]
|