Re: [PHP] Problem with PHP_SELF

Mon, 03 Sep 2001 07:08:07 -0700 

<Original message>
From: David Otton <[EMAIL PROTECTED]>
Date: Mon, Sep 03, 2001 at 03:21:00PM -0700
Message-ID: <[EMAIL PROTECTED]>
Subject: Re: [PHP] Problem with PHP_SELF

> On Mon, 03 Sep 2001 15:11:04 -0700, you wrote:
> 
> Following up my own post (in case someone finds this in the archives):
> 
> >Is there any situation where such variables would be available to
> >phpinfo(), but not the rest of the script?
> 
> You can't see $PHP_SELF within a function until you declare it global.
> 
> This language really frustrates me sometimes...

</Original message>

<Reply>

It's not so frustrating if you configure it correct. If you set
register_globals, you can just use 'm everywhere. It's not something
you should do, though. You can better use $HTTP_SERVER_VARS[]. It's
(some) safer. For those you don't need to turn on the
register_globals. Just turning on track_vars will do then. And from
PHP 4.0.3 you don't even need to do that.

<Quote from PHP manual>
PHP variables

These variables are created by PHP itself. The $HTTP_*_VARS
variables are available only if the track_vars configuration is
turned on.  When enabled, the variables are always set, even if they
are empty arrays. This prevents a malicious user from spoofing these
variables.

Note: As of PHP 4.0.3, track_vars is always turned on, regardless of
the configuration file setting.

If the register_globals directive is set, then these variables will
also be made available in the global scope of the script; i.e.,
separate from the $HTTP_*_VARS arrays. This feature should be used
with care, and turned off if possible; while the $HTTP_*_VARS
variables are safe, the bare global equivalents can be overwritten
by user input, with possibly malicious intent. If you cannot turn
off register_globals, you must take whatever steps are necessary to
ensure that the data you are using is safe.
</Quote from PHP manual>

See: http://www.php.net/manual/en/language.variables.predefined.php

</Reply>

-- 

* R&zE:


-- »»»»»»»»»»»»»»»»»»»»»»»»
-- Renze Munnik
-- DataLink BV
--
-- E: [EMAIL PROTECTED]
-- W: +31 23 5326162
-- F: +31 23 5322144
-- M: +31 6 21811143
--
-- Stationsplein 82
-- 2011 LM  HAARLEM
-- Netherlands
--
-- http://www.datalink.nl
-- ««««««««««««««««««««««««

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to