On Wed, 02 Mar 2005 09:52:00 +0000, mel list_php <list_php@xxxxxxxxxxxxx> wrote:
> Hi,
>
> No you're wrong I'm working with register_global at OFF.
> What I tried to explain is what you retrieve after your form submission is a
> $_POST array.
> I just do a foreach loop in it to retrieve the values.
> I do additional check to avoid problems with other variables, but then at
> the end I had $_POST['cloningView'] which was in the array that is extracted
> and its value is put in the $cloningView variable.
>
> Let's say the form hasn't been submitted, $_POST is empty, my check if
> ($cloningView) returns false (cloningView is not set, its value== false).
u shouldn't be checking $cloningView. if $_POST['cloningView'] is not set, then
$cloningView = $_POST['cloningView'] ; //should issue a warning. more
importantly, it shouldn't be done.
$cloningView's true/false-ness shouldn't be checked until u know it's
set. if $_POST is empty, then $cloningView probably shouldn't exist.
as per how u use it, u can just assume it's false.
otoh, this is fine:
$cloningView = isset($_POST['cloningView']) ? $_POST['cloningView'] : false ;
and u could safely put that outside the ' if
(isset($_POST['submit_var'])) { ... } ' block.
> If I understand I should test that to avoid a warning. But I have a error
> report level without warnings, so should I care about that? Is it just a
> "best practice"?
even if ur error level (during production) doesn't show warnings, u
could write cleaner code. yeah it is more of a best practice. it also
makes it easier to read/understand if u or someone else reads it
later. and it probably won't make a difference if u don't do all
that...coz like u said, if it's not set, it returns false and that's
what u want.
in all probability, this behaviour won't change, but if it does, ur
code would need to be modified (behaviour = how vars which are not set
are handled when used).
> You say it is to have safer code, but I don't see in which
> way?
if u're not using .htaccess for ur site (on a per dir basis) and the
server admin just happens to have set register_globals ON coz some
rich client's old site requires it or his/her assistant is new,
someone could use 'urpage.php?cloningView=1'. ur check (if it's
outside the $_POST check block) would pass when it should actually
fail. i know it's a "what if" situation. just my $0.02.
another one: if u use import_request_vars in ur code with no or an
empty prefix (string), with ur error level, u wouldn't see the notice
and ur script would be succeptable to the use above.
> Sorry if it's really obvious, but I really don't get it. For me as long as
> my test returns false when it has to it's ok, I don't see the security
> breach.....
considering that register_globals is off in ur case, it won't make a difference.
imho, <style="spock">it is illogical</style> to use the value of a
non-existent variable (or assign it to another).
--
]#
Anirudh Dutt
...pilot of the storm who leaves no trace
like thoughts inside a dream
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
