tags:

views:

431

answers:

3
+1  Q: 

PHP Automatically "GET" Variables

I am desiging a new website for my company and I am trying to implement switch navigation which is what I have used on all my sites in the past.

<?php
switch($x) {

default:
include("inc/main.php");
break;

case "products":
include("inc/products.php");
break;

}
?>

For some reason when I go to index.php?x=products nothing happens, it still displays inc/main.php, in other words it hasn't detected the X variable from the URL. Is this something to do with global variables?

+11  A: 

Yes, your PHP configuration has correctly got register_globals turned off, because that's incredibly insecure.

Just put:

$x = $_REQUEST['x']

at the top of your script.

You can also use $_GET if you specifically only want this to work for the GET HTTP method. I've seen some people claim that $_REQUEST is somehow insecure, but no evidence to back that up.

Alnitak  2008-11-03 11:40:11
It is better to use $_GET and not $_REQUEST ... $_REQUEST isn't as bad as register_globals but it still gives a bad smell. He knows he's using a URL var and presumably doesn't want cookies or POST parameters changing his view mode, so he should use $_GET, not $_REQUEST.
joelhardi  2008-11-03 11:46:39
I have also heard it is insecure, but then I thought that why has nearly every webserver or hosting package I have ever payed for had it turned on?
zuk1  2008-11-03 11:46:51
To be more specific than "bad smell" (hate SO comment character limit), $_REQUEST is subject to XSS attacks, since cookies can be set client-side.
joelhardi  2008-11-03 11:50:16
interesting - I had forgotton that $_REQUEST also includes cookies. However in this instance I don't see any risk.
Alnitak  2008-11-03 11:54:00
@zuk1, it was enabled by default in PHP4, and lots of (bad) apps depended on it being turned on. PHP5 changed to off by default, but some hosts turn it back on for compatibility with the (bad) apps. Easier for them to do that than deal with customers like you asking them why my apps stopped working.
joelhardi  2008-11-03 11:54:40
@Alnitak, OK, I dug up a talk that explains all sorts of $_REQUEST attacks more eloquently than I. :) http://www.slideshare.net/ZendCon/lesser-known-security-problems-in-php-applications-presentation
joelhardi  2008-11-03 12:06:17
@joelhardi Thank you!
zuk1  2008-11-03 12:15:50
+1  A: 

You should use $_GET to read out these variables. There is a deprecated function called register_globals, but I would definately not advise to use this, as it is a potential security risk.

Aron Rotteveel  2008-11-03 11:41:06
+4  A: 

It seems like your previous webhosts all used register_globals and your code relies on that. This is a dangerous setting and was rightfully removed in PHP 6.0! Use switch($_GET['x']) { instead.

hangy  2008-11-03 11:41:19

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases