On Wed, 2009-10-28 at 13:47 -0400, Andrew Ballard wrote: > On Wed, Oct 28, 2009 at 1:27 PM, tedd <tedd@xxxxxxxxxxxx> wrote: > > Hi gang: > > > > I am reviewing some old code (circa 2003) where the programmer had one > > script call another and placed variable values in the URL, like so: > > > > <a href="user_edit.php?user_id=5223&action=edit"> > > > > That seems innocent enough. However, in the called script (i.e., > > "user_edit.php") there are no: > > > > $user_id = $_GET['user_id']; > > $action = $_GET['action']; > > > > statements to populate the variables, yet the variables get populated with > > the values sent!?! > > > > How did he do that? > > > > Incidentally, he did have in the .htaccess file the statement: > > > > php_flag register_globals 1 > > > > So I figure that Globals have something to do with it, but I never use > > Globals. And if I print_r $GLOBALS, I find that user_id and action are > > listed (many times), but I don't see how that works. > > > > Furthermore, something got changed and the entire script no longer works. So > > I'm in a quandary to figure this out -- any ideas, suggestions, references? > > > > Thanks, > > > > tedd > > > > That's exactly what register_globals does. It's analogous to > prepending your scripts with this: > > <?php > > extract($_GET); > extract($_POST); > extract($_COOKIE); > extract($_SESSION); > > ?> > > (The order would be determined by the ini directive variables_order) > > Andrew > Register globals is evil; somewhere between M$ and the chocolate that are always left over in the Xmas tin that nobody likes. Best bet is to try and steer the system away from it's dependency on this old directive. Thanks, Ash http://www.ashleysheridan.co.uk
