4.6 Accessing Data Through PHP s Built-in Arrays

4.6 Accessing Data Through PHP's Built-in Arrays

Technique

Use the $HTTP_POST_VARS and $HTTP_GET_VARS arrays:

 <?php $submitted_vars = strtolower($REQUEST_METHOD) == 'get' ?                   $HTTP_GET_VARS : $HTTP_POST_VARS; $name = $submitted_vars['name']; ?> 

Comments

PHP automatically registers the submitted data as global variables in your program. However, automatically registering global variables has some serious security ramifications . It is insecure because global variables are registered from the user, and PHP variables can be overwritten by submitted variables. That means if a malicious user sends an extra variable named dbh , and your PHP script has a variable named $dbh , the $dbh variable in your script will be overwritten. To avoid this potential security risk, you should set the register_globals directive in the php.ini file to off and rely instead on PHP's built-in "track" variables:

$HTTP_POST_VARS ” An associative array of all variables sent to the user via the POST method

$HTTP_GET_VARS ” An associative array of all variables sent to the user via the GET method

$HTTP_COOKIE_VARS ” An associative array of all the cookies sent to the current script

$HTTP_POST_FILES ” An associative array of information about all files sent using PHP's file upload feature

$HTTP_ENV_VARS ” An associative array of all environment variables

$HTTP_SERVER_VARS ” An associative array of all the variables that the server sends to PHP

$HTTP_SESSION_VARS ” An associative array of all the current session variables