[thelist] PHP Includes
Michael Pemberton
pemberton_m at hotmail.com
Tue Jan 1 22:54:19 CST 2002
I know this is an old warning, but using variables in this fashion is very
risky.
Here's what php.net had to say about the new system:
To help users build PHP applications with register_globals being off, we've
added several new special variables that can be used instead of the old
global variables. There are 7 new special arrays:
$_GET - contains form variables sent through GET
$_POST - contains form variables sent through POST
$_COOKIE - contains HTTP cookie variables
$_SERVER - contains server variables (e.g., REMOTE_ADDR)
$_ENV - contains the environment variables
$_REQUEST - a merge of the GET variables, POST variables and Cookie
variables. In other words - all the information that is coming from the
user, and that from a security point of view, cannot be trusted.
$_SESSION - contains HTTP variables registered by the session module
Now, other than the fact that these variables contain this special
information, they're also special in another way - they're automatically
global in any scope. This means that you can access them anywhere, without
having to 'global' them first. For example:
For those using the previous versions of PHP, the old array names are
$HTTP_GET_VARS, $HTTP_SERVER_VARS, $HTTP_POST_VARS. I can't remember the
rest off the top of my head, sorry.
>From: "John Corry" <john at neoncowboy.com>
>link.php?var=foo.inc would allow you to call the include like:
>
><?php include("$var"); ?>
>
>Variables are immediately accessible when passed via querystring.
_________________________________________________________________
Join the worlds largest e-mail service with MSN Hotmail.
http://www.hotmail.com
More information about the thelist
mailing list