|
|
Posted by David Cartwright on 10/19/05 10:57
"|-|erc" <h@r.c> wrote in message
news:4355f0d6$0$41001$892e7fe2@authen.white.readfreenews.net...
> OK, here's the start of the index file I'm working on and its used for
> every page like so
> index.php?action=register
> index.php?action=logout
> etc.
> if ($action != "do_login")
> {
> $user = $_COOKIE['user'];
> $pass = $_COOKIE['pass'];
> if (verifyuser('', $pass,$user) == TRUE)
> Nowhere in config or functions is $action defined, so how can this work?
There is a PHP configuration directive (i.e. something you put in the config
file) "register_globals" which allows any or all entities from forms (GET
and POST), cookies, server internals and the local environment to appear to
scripts just as if they're day-to-day script variables. As of PHP 4.2.0 this
defaults to "off", though clearly you can turn it on if you so desire.
I don't personally like implicit variable definitions like this, because
variables can trample over one another and cause confusion (or even security
problems) when what you thought was a local variable turns out to be a field
from a form, or vice versa. The developers of PHP clearly don't like it
either, as they've taken the conscious decision to turn it off.
For a developer, a nicer way to go is the import_request_variables()
function, which you can drop into your scripts to register form variables
yourself. import_request_variables() allows you to prefix the variable names
with a text string to allow you to distinguish them from other variables -
so, for instance, everything I write has a import_request_variables() call
that makes all my form variables appear as $form_blah, thus guaranteeing I'm
not going to trample over local stuff by mistake.
HTH,
David C
Navigation:
[Reply to this message]
|