All geek questions in one place

$ var instead of $ _GET ['var'] in PHP?

Ok, I can't remember the details of this, but on some servers you can use

$ var instead of $ _ GET ['var'] to access the variable in the url, I know it is BAD, but I can’t remember why it is Bad?

+3
source share
10 answers

I think you mean Register Globals .

You should not use them because you cannot distinguish the source of these variable values, since they can come from any source of EGPCS variables (Environment, GET, POST, Cookie, Server).

, $var, , $_ENV['var'], $_GET['var'], $_POST['var'], $_COOKIE['var'] $_SERVER['var'].

+8

Register Globals . . ; :

<?php
// define $authorized = true only if user is authenticated
if (authenticated_user()) {
    $authorized = true;
}

// Because we didn't first initialize $authorized as false, this might be
// defined through register_globals, like from GET auth.php?authorized=1
// So, anyone can be seen as authenticated!
if ($authorized) {
    include "/highly/sensitive/data.php";
}
?>
+7

, register_globals 1 ( true) php.ini.

- , , , .

php.ini .

+2

, , PHP . , . , $_GET , .

+1

. - , , . isset, , .

+1

, , , , (-, PHP ), , /myapp/index.php?admin_privileges=1.

+1

REGISTER_GLOBALS, :

REGISTER_GLOBALS ?

0

, "register_globals" . , , , , URL. : http://www.php.net/manual/en/security.globals.php

0

$_POST, $_GET .., , .

0

, PHP. , , .

You can use extract () for more controlled behavior. It will extract the keys from the array (in this case, $ _GET) into the local context as variables. You can give them a common prefix so that they do not interfere with your existing variables. And you can pre-filter the array to make sure you get the expected variables.

int extract( $var_array [, $type = EXTR_OVERWRITE [, $prefix  ]] )

Import variables from the array into the current character table.

0
source

Source: https://habr.com/ru/post/1718239/

More articles:


All Articles