[thelist] beginner PHP question

Allie Micka allie at pajunas.com
Sat Feb 16 11:31:00 CST 2002

Sure, you can look in $HTTP_POST_VARS and $HTTP_GET_VARS.  They're both
arrays containing your
form variables, and its generally 'safer' to use these variables.  When
you just use $LastName you don't know for sure where it 'came from', as
different variable scopes overwrite each other.
By default, an Environment variable will be overwritten by a GET variable
of the same name, POST variables overwrite that, and then cookie and
session variables of the same name override them all.

This opens up a window for security holes. Poorly written login code may
say something like if(isset($logged_in)), expecting that it would only be
available if the login code set it in the session.  In this case it is not
much trouble to set logged_in=true on the GET request and gain
unauthorized access to the site.  Mixing scopes like that is messy.

$HTTP_POST_VARS and $HTTP_GET_VARS are a way to guarantee that variables
come from expected scopes.  If you're using 4.1+, you can also use $_GET
and $_POST (and others), which are global in scope and more handy to type!

Allie Micka
pajunas interactive, inc.

More information about the thelist mailing list