variables and string queries

Anon

My web hosts reckon that it's safer to switch off the ability to type query strings after the url, so that people can't hack into your data. This is causing me heaps of problems, as all the books, scripts etc just call variables from the previous page or from forms, but instead they say i have to use

$HTTP_POST_VARS[my_variable]

This also means that i can't do queries with links on my pages

e.g.http://www.mywebsite.com/contacts.php?action=add

and calling session variables doesn't seem to work either and it's doing my head in and I'm having to find obscure ways of doing stuff, like this parse_url etc.

What do you guys think about this? are they being overly paranoid and making me type more code than i need to and overly complicating things for a newbie? I think that maybe having to use parse_url is missing the point. Surely my database will be safe if the add/modify/delete pages are protected?

i do have access to php.ini, so i could change the config, but my server people have advised me not to.

opinions/help appreciated!

Anon

You should be able to access $HTTP_GET_VARS[]. Edit your php.ini file so that is available.

If the sysadmin of that server says you can't do that, then move to a new server. I have never heard of anything that absurd.

I can't see any security risk with a page that's properly written from a user adding variables to the query string.

You might have your PHP script do something like execute a server command receieved in a query string, or execute a MYSQL query in a query string... but that's something I can never see a reason for doing.

Besides... I could write an HTML page with a form tag looking like:

and post variables to your page. I think you might want to talk to the server admin again, and see what this rule is really about. If he says that a GET request is a security hazard, then call him a moron, and move to a new host.

Anon

Here is what the sysadmin geezer says about it:

"It's actually the setting Register Global Vars. For a security measure, simply converting what is submitted with the page into variables of the same name is, if not handled properly, a risk to your scripts. This is the traditional way php (and other cgi's) have worked in the past. However, it's better if you explicity access these variables as explicit array references in the two global arrays :

$HTTP_GET_VARS or
$HTTP_POST_VARS

(there's a couple of others two, for cookies and

for example, if you were posting something like this :

<form.... >
<input type=text name=text value="foo">
...

you'd access it as (in an example if statement)

if ($HTTP_POST_VARS[test] == "whatever") {
then do this...

}

rather than

if ($test == "whatever") {
..
}

You see it makes better sense, if say someone where to access the page in a way you don't want them to - say as in a GET thru the URL : pages.php?test=whatever. "

so. load of tosh or sensible?

as you say above, someone could just access the data by using a form instead of a query string on the url anyway, so what difference does it make? i've got a mate who does ASP and he uses query strings in his links all the time, so what's the big problem?

Anon

Yes... that's good.
That's actually how it should be.