No you're wrong I'm working with register_global at OFF.
What I tried to explain is what you retrieve after your form submission is a $_POST array.
I just do a foreach loop in it to retrieve the values.
I do additional check to avoid problems with other variables, but then at the end I had $_POST['cloningView'] which was in the array that is extracted and its value is put in the $cloningView variable.

Let's say the form hasn't been submitted, $_POST is empty, my check if ($cloningView) returns false (cloningView is not set, its value== false).
If I understand I should test that to avoid a warning. But I have a error report level without warnings, so should I care about that? Is it just a "best practice"? You say it is to have safer code, but I don't see in which way?

Sorry if it's really obvious, but I really don't get it. For me as long as my test returns false when it has to it's ok, I don't see the security breach.....

From: anirudh dutt <[EMAIL PROTECTED]>
Reply-To: anirudh dutt <[EMAIL PROTECTED]>
To: mel list_php <[EMAIL PROTECTED]>
CC: [EMAIL PROTECTED], php-db@lists.php.net
Subject: Re: [PHP-DB] onClick
Date: Tue, 1 Mar 2005 21:12:38 +0530

On Tue, 01 Mar 2005 14:11:22 +0000, mel list_php <[EMAIL PROTECTED]> wrote:
> Why do you think that checking the value ($cloningView=="View") is better?

no, i didn't say it was better but it does make a lil difference. i
also said, test the POST var. ur example makes it appear as though u
keep register_gloabals on.

$_POST['cloningView'] == 'View' would be the right way. i put an extra
'' in my previous mail. ofcourse, if(isset($_POST['cloningView']))
should be before that.

also, as far as "has the form been submitted" test goes, check with
isset/is_null/etc. before comparing values, if u do that at all. this
is to avoid warnings/notices and generally write safer code.

> I just put something for it to be true but never paid attention to the exact
> string. I don't see the difference, if that POST variable exists it comes
> from my posted form so had that value.

that's fine too. except, when u know u're expecting POST vars, use
$_POST['cloningView'] in ur tests, not just $cloningView. in PHP 4 >=
4.2.10, PHP 5 - register_globals is OFF by default.
import_request_vars:  Although the prefix parameter is optional, you
will get an E_NOTICE level error if you specify no prefix, or specify
an empty string as a prefix. (from the manual).

> I just want my user to display
> something else when clicking on a button, so I don't care about the value
> itself.
> I suppose it's a security thing but I don't see it?

u've got the idea. and no, the value isn't important. it's only a
minor check which can be circumvented even if u had it in place.

as far as the onClick code is concerned, it doesn't really matter what
u put there, the page generation occurs at the server side so onClick
isn't in any position to offer u security or to make sure that ur
form's submit was used to generate the page. well, not unless u come
up with some really intricate algo.

Anirudh Dutt

...pilot of the storm who leaves no trace like thoughts inside a dream

PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Use MSN Messenger to send music and pics to your friends http://www.msn.co.uk/messenger

PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to