how to forbid puting parameters in URL

Anon

Dear friends.
Everybody knows that PHP accept parametres in URL, like:

In the script index.php, there will be a variable whose value will be 24.

It doesn't like because somebody could modify the program's behaviour.

I ask you If there is a method to forbid put variables in URL. If there isn't possible, how can I know where a variable is declared insede the PHP code or come from the URL

I allways use PHP from source code, for this reason I have no problem If I have to recompile PHP + Apache.

Thanks a lot.

Xevi.

[deleted]

Here we go again.

Variables passed throuhg the URL do NOT overwrite ANY variables that you declare inside your script.

Anon

he's right, but if for some wierd reason you still needed to stop them from working in certain conditions, (which is imaginable) you could manually clear the $HTTP_GET_VARS array on page load, given the certain condition is true.

Anon

how???is the big question.

Anon

uh... that really wouldn't matter.

but you could do this at the beginning of your scripts. again - THIS IS RETARDED, don't do this!

reset($HTTP_GET_VARS);
while($array_cell = each($HTTP_GET_VARS)) {
unset($array_cell['value']);
}
$HTTP_GET_VARS = array();

you can also go into php.ini and turn off register globals (or something like that) or reorder the registration order to order the GET variables first (then they will be overwritted by ANYTHING else that happens.

if your script could be hacked by changing the ?id=7 in your URL, then your script is SEVERLY FLAWED. do verification in the script to authorize whatever is going on.

Anon

I highly recommend turning register_globals off in php.ini.

This way you can have a variable called $id in PHP that cannot be changed with the URL in your example, because a parameter passed through the URL will end up as $HTTP_GET_VARS[id].

Anon

Whoops. Just to clarify - vincent is correct. Actually if you declare a variable $id, then a parameter called id would not overwrite your variable. However, depending on the order that Get, Post, etc are read, a parameter passed through the URL could override a post variable.

Still, turn register_globals off to avoid having a URL parameter override any variables passed between scripts.

And validate ALL user input.