Posted by Jerry Stuckle on 03/27/07 04:34

Hendri Kurniawan wrote:
> Jerry Stuckle wrote:
>> Christoph Burschka wrote:
>>> Jerry Stuckle wrote:
>>>> Lo'oris wrote:
>>>>> $name=$_GET['name'];
>>>>> if (!$name)
>>>>> $name="value";
>>>>>
>>>>> i can't figure out how to shorten this thing. Is there some kind of
>>>>> operator i don't know about?
>>>>>
>>>> $name = isset($_GET['name']) ? $_GET['name'] : null;
>>>>
>>>> You should always test with isset() to see if a value passed to your
>>>> page is set or not. Otherwise you will get a notice if you have them
>>>> enabled.
>>>>
>>>
>>> If setting multiple variables from $_GET, you can also try this:
>>>
>>> $parameters=array('name'=>"value",'example'=>"value1",'another'=>"value2");
>>>
>>> foreach ($parameters as $parameter=>$value)
>>> {
>>> $$parameter=$_GET[$parameter]?$_GET['parameter:$value;
>>> }
>>>
>>
>> Which is only slightly less dangerous than running with
>> register_globals on. Someone can come in and set any variable in your
>> script by setting it in the query string. And if you miss
>> initializing a variable you've got a huge potential security breach.
>>
>> One reason register_globals is no longer enabled by default.
>>
>
> Not really. It think it's a clever way to do it. Save you some coding time.
>
> If you see, he only allows the variable in the parameter to be changed.
>
> But then again, it's only my oppinion.
>
> Hendri

Not at all. I key in

http://www.example.com?admin=1

And now in your program $admin=1. And what if $admin is the variable
which indicates I'm an admin?

This effectively does exactly what register_globals does - just limits
it to the $_GET variables.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

[Back to original message]