4.6 Accessing Data Through PHP's Built-in Arrays
TechniqueUse the $HTTP_POST_VARS and $HTTP_GET_VARS arrays: <?php $submitted_vars = strtolower($REQUEST_METHOD) == 'get' ? $HTTP_GET_VARS : $HTTP_POST_VARS; $name = $submitted_vars['name']; ?> CommentsPHP automatically registers the submitted data as global variables in your program. However, automatically registering global variables has some serious security ramifications . It is insecure because global variables are registered from the user, and PHP variables can be overwritten by submitted variables. That means if a malicious user sends an extra variable named dbh , and your PHP script has a variable named $dbh , the $dbh variable in your script will be overwritten. To avoid this potential security risk, you should set the register_globals directive in the php.ini file to off and rely instead on PHP's built-in "track" variables:
Note As of PHP 4.1 shorter versions of the above variables are automagically available in all contexts (in function and global scopes). They are named respectively: $ POST, $ GET, $ COOKIE, $ ENV and $ SERVER. Additionally, a new array called $ REQUEST was added, which contains all $ GET, $ POST and $ COOKIE variables. |