I apologize, but I've never been able to access $_POST and $_GET in any context whatsoever without first turning on the register globals. "John Nichel" <jnichel@xxxxxxxxxx> wrote in message news:4387AC03.1040302@xxxxxxxxxxxxx > Matt Monaco wrote: >> Somewhat, but its what you need to do for the post and get arrays to >> work. > <snip> > > No. Things like $_POST and $_GET are global arrays and work regardless of > the register_globals setting. The information you're handing out above is > wrong and dangerous. > > </snip> >> What you need to do is make sure check the values in the global variables >> before you use them. For example if on one page you have a form for a >> user signup and <input type=text name='userName'> on the next page >> $_POST['userName'] should be checked for things like quotes and other >> characters that will alter your SQL statement before you actually INSERT >> that value into your table. > > ie they should be sanitized. Things like mysql_real_escape_string() or > adding slashes (depending on your magic_quotes setting) should be done > prior to inserting any data. Also, you should check to ensure that it's > the data you expect; if you only allow usernames to contain alpha-numeric > characters, then you should check for that. Toss is out if it contains > something else. > > Best rule of thumb: Never trust user input, regardless of the > register_globals setting. > > -- > By-Tor.com > ...it's all about the Rush > http://www.by-tor.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
