 |
| Register | Login | |||||
 |
Main
| Memberlist
| Active users
| ACS
| Commons
| Calendar
| Online users Ranks | FAQ | Color Chart | Photo album | IRC Chat |
|
| | ||
|
| Register | Login | |||||
|
Main
| Memberlist
| Active users
| ACS
| Commons
| Calendar
| Online users Ranks | FAQ | Color Chart | Photo album | IRC Chat |
|
| | ||
| 0 user currently in Programming. | 3 guests |
| Acmlm's Board - I2 Archive - Programming - $_GET and $_POST |
 |  |  |
| Add to favorites | "RSS" Feed | Next newer thread | Next older thread |
| User | Post | ||
Malow Goomba Level: 9 Posts: 18/25 EXP: 3055 For next: 107 Since: 03-15-04 From: Rock Forest, Qu�bec, Canada Since last post: 145 days Last activity: 11 hours |
| ||
| Now I want to know, why do they provide more security? How am I supposed to use them WELL? Thx ^^ |
|||
|
sloat Level: 16 Posts: 4/85 EXP: 18044 For next: 2212 Since: 05-21-04 From: South Central Delaware Since last post: 19 days Last activity: 5 hours |
| ||
| php has a feature called register_globals that will create variables via a query string or from a form. nowadays, this is turned off. the reason is that you could put malicious variables in the query string. $_GET and $_POST aren't necessarily more secure, but you have to use them if register_globals is turned off. more info: http://us4.php.net/manual/en/security.globals.php |
|||
Modereb Paragoomba Level: 15 Posts: 56/75 EXP: 14749 For next: 1635 Since: 06-04-04 Since last post: 350 days Last activity: 339 days |
| ||
| Actually... if you use $variable in a PHP script, that variable can be declared through the url (IE script.php?variable=bla), through posting a form, etcetera. $_GET['variable'] means $variable can only be declared through the url, and $_POST['variable'] only through submitting a form. So let's take this board register page, it's important to have if($_POST['action']=='register'){ instead of just if($action=='register'){ so registering will only occur if it is done through this board's form, if not, you could keep registering accounts with an url like register.php?action=register&username=malicious_person. So it's definately more secure. (edited by Modereb on 09-28-04 01:58 AM) |
|||
|
frantik Paragoomba Level: 15 Posts: 66/66 EXP: 13104 For next: 3280 Since: 03-15-04 Since last post: 400 days Last activity: 339 days |
| ||
| also, if you have register globals turned on, people could hijack your script if you used an undeclared variable assuming it was blank, and they set it with a form like if you had a script: ---------------------- if ($securitylevel == "high") $giveaccess = "yes"; if ($giveaccess == "yes") doSecretStuff(); ------------------------ someone could highjack the script by calling it with form with the form variable "giveaccess" set to true but if you turn off register globals, people wont be able to do that, but you have to use $_GET & $_POST (and $_SERVER) (edited by frantik on 09-28-04 02:51 AM) |
|||
FreeDOS Lava Lotus Wannabe-Mod :< Level: 59 Posts: 734/1657 EXP: 1648646 For next: 24482 Since: 03-15-04 From: Seattle Since last post: 6 hours Last activity: 4 hours |
| ||
| Neither of them provide any security . . . | |||
|
DarkSlaya POOOOOOOOOOOORN! Level: 88 Posts: 2157/4249 EXP: 6409254 For next: 241410 Since: 05-16-04 From: Montreal, Quebec, Canada Since last post: 8 hours Last activity: 5 hours |
| ||
| $_POST is used for a more secure code, while $_GET... well not much. I don't understand why they made the $_REQUEST tag. | |||
|
FreeDOS Lava Lotus Wannabe-Mod :< Level: 59 Posts: 742/1657 EXP: 1648646 For next: 24482 Since: 03-15-04 From: Seattle Since last post: 6 hours Last activity: 4 hours |
| ||
| Both of them can be intersected just the same... However, it's a lot easier to get access to someone else's account if the site uses session IDs and the person either didn't know or forgot to remove the session ID from a posted URL. |
|||
|
Zem You can be civil without being flowery, dipshits. Level: 49 Posts: 168/1107 EXP: 829398 For next: 54485 Since: 06-13-04 Since last post: 131 days Last activity: 131 days |
| ||
$_GET might not seem more secure, but using $_POST and $_GET is just good practice so you always know where your data is coming from. It's rare that the data you're looking for could legitimately be coming from either one. And if you don't care where your data comes from, or you're used to register_globals being on, $_REQUEST catches everything that would have been registered into a global.The idea is that if you write sloppy code, and you use an uninitialized variable, it could be changed in the URL if register_globals is on. This is an illustrative example. This isn't a security hole, but it indicates how a problem could arise. In this case, $ipbanned is set to true if the script matches the user's IP to one in the banned list, but it isn't set at all if there is no match. Then when it comes time for the board to either output the content or the "Your IP is banned" message, it tests the value of $ipbanned. Normally, when this isn't set by the script, it's initialized to 0. But if it's set in the URL, since register_globals is on, it's initialized to whatever the user wants it to be. (Of course it's still set right if the IP is actually banned.)This in particular could be fixed if the script explicitly set $ipbanned to 0 if there wasn't a match, but it's better to avoid the problem entirely by making it so users can't set variables in your scripts except where you want them to. Which is where $_GET comes in. |
|||
|
Sandy53215 Acmlm (10:55:31 PM): they're having fun for the first time in so long Level: 47  Posts: 191/948 EXP: 713034 For next: 53169 Since: 03-15-04 From: Milwaukee, Wisconsin (U.S.A) Since last post: 1 day Last activity: 4 hours |
| ||
| So thats how people have been getting custom titles without having the requirements.... Right? | |||
Cellar Dweller Flurry !!! Level: 27  Posts: 150/269 EXP: 107817 For next: 8342 Since: 03-15-04 From: Arkansas Since last post: 16 days Last activity: 34 min. |
| ||
Originally posted by Randy53215 The users that had met the requirements before the database wipe were given coutom titles by the admins. |
|||
|
Zem You can be civil without being flowery, dipshits. Level: 49 Posts: 170/1107 EXP: 829398 For next: 54485 Since: 06-13-04 Since last post: 131 days Last activity: 131 days |
| ||
Originally posted by Cellar Dweller*Those who asked for them. As far as I know, there aren't any security holes on this board exploiting register_globals. |
|||
Darth Coby Vire Dacht je nou echt dat het over was? Dacht je nou echt dat ik gebroken was? Nee toch? Nou kijk eens goed op uit je ogen gast. zonder clic heb je geen kloten tjap... bitch Level: 55  Posts: 852/1371 EXP: 1240774 For next: 73415 Since: 03-15-04 From: Belgium Since last post: 2 days Last activity: 9 hours |
| ||
| None of the two is "secure". The only real difference between $_GET and $_POST is that when you're using $_POST then the data must actually be POSTED from a form in order to work, when using $_GET you can just give the variable a value using the URL, there's no need for a form. |
|||
|
Malow Goomba Level: 9 Posts: 19/25 EXP: 3055 For next: 107 Since: 03-15-04 From: Rock Forest, Qu�bec, Canada Since last post: 145 days Last activity: 11 hours |
| ||
Thank you very much! Now I $_GET it completely  For those who say it is not secure, well, it some cases it can be a lot more secure, like in frantik's example. Thanks again! |
|||
|
Jesper Busy, busy, busy. Level: 69  Posts: 953/2390 EXP: 2856000 For next: 13743 Since: 03-15-04 From: Sweden. Since last post: 176 days Last activity: 79 days |
| ||
| It should be noted that the inclusion of these arrays are not in any way new. PHP before 4.1 had $HTTP_POST_VARS, etc. They just renamed them so a) they'd be shorter and more convenient to type and b) to draw attention to not writing code that can be exploited, like the ipbanned example above. | |||
|
Sandy53215 Acmlm (10:55:31 PM): they're having fun for the first time in so long Level: 47 Posts: 192/948 EXP: 713034 For next: 53169 Since: 03-15-04 From: Milwaukee, Wisconsin (U.S.A) Since last post: 1 day Last activity: 4 hours |
| ||
Originally posted by Cellar DwellerOriginally posted by Randy53215 I would have guessed that but someone on the board gave me a custom title without being a admin. He is a regular member too.  |
| Add to favorites | "RSS" Feed | Next newer thread | Next older thread |
| Acmlm's Board - I2 Archive - Programming - $_GET and $_POST |
| | |
