dealing with variables / register globals

James_Lamb

Hello All,

I have started coding in PHP recently and I would like to ask some security related questions.

In the following example how would / could I change it so that I wouldnt use register globals for the site?
<?

if ( !isset($i))
$a="index";
else
$a=$_GET['i'];;

if ( $a == "example1" )
include 'example1.php' ;
else
include 'example2.php' ;
?>

There are more variables in the real example. The input is from the url eg

index.php?i=test

How can I write the same code/functionality to not use register globals. I am also keen to learn what the best method is for checking the input to ensure nobody is trying any specially crafted urls etc.

Anything would be great Smile

planetsim

<?

if ( !isset($i))
$a="index";
else
$a=$_GET['i'];;


if ( $a == "example1" )
include 'example1.php' ;
else
include 'example2.php' ;
?>

I hope this was just an example you wipped up quickly I can see one error which is staring me in the face.

$_GET isnt a register global its a super global, which is actually a good global believe it or not. Register globals allow any variables say $test for example

mydomain.com/file.php?test=testing

to have the value of $test with register_globals Off youd need to use $_GET['test'] and $test would be a totally different variable.

What you should check?
Well think what type of data should be allowed in each bit of user inputted data. So URLS if its an ID normally there numeric so check that they are numeric and nothing else.

Theres no diffiant checklist so what data you wish to obtain just make sure it matches. Also do not allow '; in inputted data you can easily fix this with the use of addslashes.