Hi,
No you're wrong I'm working with register_global at OFF.
What I tried to explain is what you retrieve after your form submission is a $_POST array.
I just do a foreach loop in it to retrieve the values.
I do additional check to avoid problems with other variables, but then at the end I had $_POST['cloningView'] which was in the array that is extracted and its value is put in the $cloningView variable.
Let's say the form hasn't been submitted, $_POST is empty, my check if ($cloningView) returns false (cloningView is not set, its value== false).
If I understand I should test that to avoid a warning. But I have a error report level without warnings, so should I care about that? Is it just a "best practice"? You say it is to have safer code, but I don't see in which way?
Sorry if it's really obvious, but I really don't get it. For me as long as my test returns false when it has to it's ok, I don't see the security breach.....
From: anirudh dutt <aneroid@xxxxxxxxx> Reply-To: anirudh dutt <aneroid@xxxxxxxxx> To: mel list_php <list_php@xxxxxxxxxxxxx> CC: ron.php@xxxxxxxxxxxxxxxxxx, php-db@xxxxxxxxxxxxx Subject: Re: onClick Date: Tue, 1 Mar 2005 21:12:38 +0530
On Tue, 01 Mar 2005 14:11:22 +0000, mel list_php <list_php@xxxxxxxxxxxxx> wrote:
> Why do you think that checking the value ($cloningView=="View") is better?
no, i didn't say it was better but it does make a lil difference. i also said, test the POST var. ur example makes it appear as though u keep register_gloabals on.
$_POST['cloningView'] == 'View' would be the right way. i put an extra '' in my previous mail. ofcourse, if(isset($_POST['cloningView'])) should be before that.
also, as far as "has the form been submitted" test goes, check with isset/is_null/etc. before comparing values, if u do that at all. this is to avoid warnings/notices and generally write safer code.
> I just put something for it to be true but never paid attention to the exact
> string. I don't see the difference, if that POST variable exists it comes
> from my posted form so had that value.
that's fine too. except, when u know u're expecting POST vars, use $_POST['cloningView'] in ur tests, not just $cloningView. in PHP 4 >= 4.2.10, PHP 5 - register_globals is OFF by default. import_request_vars: Although the prefix parameter is optional, you will get an E_NOTICE level error if you specify no prefix, or specify an empty string as a prefix. (from the manual).
> I just want my user to display
> something else when clicking on a button, so I don't care about the value
> itself.
> I suppose it's a security thing but I don't see it?
u've got the idea. and no, the value isn't important. it's only a minor check which can be circumvented even if u had it in place.
as far as the onClick code is concerned, it doesn't really matter what u put there, the page generation occurs at the server side so onClick isn't in any position to offer u security or to make sure that ur form's submit was used to generate the page. well, not unless u come up with some really intricate algo.
-- ]# Anirudh Dutt
...pilot of the storm who leaves no trace like thoughts inside a dream
-- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
_________________________________________________________________
Use MSN Messenger to send music and pics to your friends http://www.msn.co.uk/messenger
-- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
