You can do this with:

  extract($_REQUEST, EXTR_SKIP)

However, you are making some invalid assumptions here.  Script variables
get initialized after the request variables are automatically imported, so
this overwrite switch could not be a high-level php.ini switch.  You can
do it with a user-space level function like extract() because in this case
you can choose when to pull the request variables into your script.

I actually prefer doing the opposite.  Something like:

<?
    $name = $age = $gender = true;
    extract($_REQUEST, EXTR_IF_EXISTS);
?>

This fetches only the variables I have defined into the global symbol
table.

-Rasmus

 On Fri, 3 May 2002, Luis Ferro wrote:

> That would be easy to solve by just adding a non_overwrite flag to the
> vars and thrus forbid the vars from get/post to override vars in the
> varspace that come from programming and not from get/post...
>
> One would keep the global vars but would also have the security of the
> existing/declared vars be protected from overwrite (only get/post vars
> would be allowed to be overwriten between page initializations)...
>
> Cheers,
> Luis Ferro
>
> Matt Parlane wrote:
>
> >Posting the variables might solve the problem in this case, but remember
> >that this is just an example, and I'm sure any creative mind could come up
> >with a whole heap of ways you could exploit something like this.
> >
> >On the other hand though, you don't have to use it.  If you are confident
> >you can write an application without using the new superglobal arrays (and
> >it is conceivably possible), you can just turn register_globals on.  It's
> >just a choice which was made by the PHP developers (rightly so I believe).
> >
> >Matt
> >
> >"Then" <[EMAIL PROTECTED]> wrote in message
> >[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> >
> >
> >>Hi
> >>
> >>At the cost of sounding dense...wouldn't POSTing the variables solve the
> >>problem. Then the user would not see them in the URL.
> >>
> >>
> >>[EMAIL PROTECTED] (Matt Parlane) wrote in
> >>[EMAIL PROTECTED]:">news:[EMAIL PROTECTED]:
> >>
> >>
> >>
> >>>Hi...
> >>>
> >>>The problem comes when you are mixing variables recieved from the HTTP
> >>>request, and your own user variables.  Consider the following code:
> >>>
> >>>function authenticate_user(){
> >>>  if($password == 'secret'){
> >>>    $authenticated = 'yes';
> >>>  }
> >>>  return $authenticated;
> >>>}
> >>>
> >>>If someone passes the variable authenticated=yes in the url request
> >>>string, the user will be authenticated no matter whether their password
> >>>matches or not.  This is obviously a simplified example, and I'd hope
> >>>that no programmer would ever do this, but things like have been known
> >>>to happen, and there have already been exploits for it.
> >>>
> >>>The logic behind the change is that it is really not much extra work to
> >>>type $_GET['something'] than just $something, and it is infinitely more
> >>>secure - so you should write your scripts using the $_REQUEST variables
> >>>whenever possible.
> >>>
> >>>Hope that helps...
> >>>
> >>>Matt
> >>>
> >>>"Then" <[EMAIL PROTECTED]> wrote in message
> >>>[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> >>>
> >>>
> >>>>Hi All
> >>>>
> >>>>I am a PHP newbie. I don't understand why global variables are turned
> >>>>off
> >>>>
> >>>>
> >>>by
> >>>
> >>>
> >>>>default in PHP4.2.0... something to do with security. Could some one
> >>>>
> >>>>
> >>>please
> >>>
> >>>
> >>>>help me understand how it's a security issue. Thanks
> >>>>
> >>>>
> >>>
> >>>
> >>>
> >>
> >>--
> >>Lots of Luck
> >>theN
> >>[EMAIL PROTECTED]
> >>
> >>
> >
> >
> >
> >
> >
>
>
>
>
> --
> PHP Windows Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>


-- 
PHP Windows Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to