Posted by "Matt Monaco" on 11/26/05 02:42
I apologize, but I've never been able to access $_POST and $_GET in any
context whatsoever without first turning on the register globals.
"John Nichel" <jnichel@by-tor.com> wrote in message
news:4387AC03.1040302@by-tor.com...
> Matt Monaco wrote:
>> Somewhat, but its what you need to do for the post and get arrays to
>> work.
> <snip>
>
> No. Things like $_POST and $_GET are global arrays and work regardless of
> the register_globals setting. The information you're handing out above is
> wrong and dangerous.
>
> </snip>
>> What you need to do is make sure check the values in the global variables
>> before you use them. For example if on one page you have a form for a
>> user signup and <input type=text name='userName'> on the next page
>> $_POST['userName'] should be checked for things like quotes and other
>> characters that will alter your SQL statement before you actually INSERT
>> that value into your table.
>
> ie they should be sanitized. Things like mysql_real_escape_string() or
> adding slashes (depending on your magic_quotes setting) should be done
> prior to inserting any data. Also, you should check to ensure that it's
> the data you expect; if you only allow usernames to contain alpha-numeric
> characters, then you should check for that. Toss is out if it contains
> something else.
>
> Best rule of thumb: Never trust user input, regardless of the
> register_globals setting.
>
> --
> By-Tor.com
> ...it's all about the Rush
> http://www.by-tor.com
[Back to original message]
|