Posted by Geoff on 10/25/06 19:58

Thank you

Rik wrote:
> Geoff wrote:
> >> I urge you to fix this, but in the mean while:
> >> extract($_GET);
> > What is the new way to do this?
> > I've read through the link you gave me but it isn't completely clear
> > to me.
>
> 1. All variables from a GET request are in the $_GET-array. This will make
> sure that they don't 'infect' used variables.
> 2. When using a $_GET variable, first make sure it's a type you expect.
> (for instance:
> $id = intval($_GET['id']);//make sure it's an integer
> $name = preg_replace('/^[a-z0-9]/i','',$_GET['name']);//only
> alphanumeric characters)
> 3. Use validated variables as you would like.
>
>
> The main reason is that (sloppy) code with uninitialized variables can be
> influenced with either GET or POST request resulting in unexpected and/or
> undesireable results. Alwaus make sure you:
> a: initiliaze all variables.
> b: no outside variables are used for anything without a proper type-check
> first.
> --
> Grtz,
>
> Rik Wasmus

[Back to original message]