[ILUG] developerWorks article...
kevin lyda
kevin at suberic.net
Mon May 15 13:30:39 IST 2000
adam beecher bleated:
> Eaaagh! Wrong! PHP lets you skip all steps - all GET, POST and ENV variables are
> imported to the symbol table automatically at runtime. So if you pass a variable
> via GET in a URL <http://www.dom.com/script.php3?var1=val1>, 'val1' is
> immediately available in $var1. Same goes for environment variables -
> $HTTP_HOST, $REQUEST_URI, etc. It's one of the best things about PHP.
two points:
a) if importing vars into the program's namespace is a great thing then
i assume you'll also enjoy http://www.deskware.com.
b) i'm thinking "huge security hole." does php force you to initialise
variables? what if i did:
while ($i < 10) {
do stuff
$i++;
}
and then the user passed a form variable i equal to -1000000 to my php
script?
you can import cgi params into main's namespace using the import_name
method, but this is considered insecure. generally i'm not too keen on
letting input magically affect my namespace unless i know more about the
magic - what's php's incantations to preserve security and correctness?
kevin
--
kevin at suberic.net "we were goin' for breakfast. in canada. we
fork()'ed on 37058400 made a deal: if she'd stop hookin', i'd stop
meatspace place: work shootin' people. maybe we were aiming high."
--porter, "payback"
More information about the ILUG
mailing list