|
Posted by Ehsan on 10/10/79 11:45
When you are trying to print the value of $username, it has to be
defined. As per FH's suggestion you can print it by either:
echo $_POST['username'];
or
echo $_GET['username'];
or
echo $_REQUEST['username'];
But you can also use your piece of code to print $username's value. If
you have register_global turned on, your script will print the value
without any problem. But it is a good practice to keep register_global
directive truned off. For security reason it should be turned off. Say
you have a script to check or validate user logging onto your site. You
have your register_global turned on and using $username (similar to
your code). Then anyone visiting your site can simply type in at the
address bar http://www.yoursite.com/login.php?username=myusername and
your script will process for the given username in the query string.
SQL injection can be done if incase you do not have other checks in
place. By keeping register_global on, it allows user to your site to
inject any value for a variable via query string. As per PHP Manual
suggests if used wisely any forging attempt can be prevented. But you
will have to be very careful. If you are a beginner then you should not
use register_global feature to reduce your work. Get used to the $_GET,
$_POST, $_SESSION, $_COOKIE etc. For above avoide $_REQUEST as well. As
you can see it is also does what register_global allows, but it only
gives the values of $_GET, $_POST and $_COOKIE.
Please go through the PHP Manual for better understanding of these
terms.
Thanks and God Bless!!
Ehsan
http://ehsan.bdwebwork.com
[Back to original message]
|