PHP: GET-data automatically being declared as variables
Question
Take this code:
<?php
if (isset($_POST['action']) && !empty($_POST['action'])) {
$action = $_POST['action'];
}
if ($action) {
echo $action;
}
else {
echo 'No variable';
}
?>
And then access the file with ?action=test Is there any way of preventing $action from automatically being declared by the GET? Other than of course adding
&& !isset($_GET['action'])
Why would I want the variable to be declared for me?
Solution
Check your php.ini for the register_globals
setting. It is probably on, you want it off.
Why would I want the variable to be declared for me?
You don't. It's a horrible security risk. It makes the Environment, GET, POST, Cookie and Server variables global (PHP manual). These are a handful of reserved variables in PHP.
OTHER TIPS
Looks like register_globals
in your php.ini is the culprit. You should turn this off. It's also a huge security risk to have it on.
If you're on shared hosting and can't modify php.ini, you can use ini_set() to turn register_globals off.
Set register_globals to off, if I'm understanding your question. See http://us2.php.net/manual/en/language.variables.predefined.php
if you don't have access to the php.ini, a ini_set('register_globals', false)
in the php script won't work (variables are already declared)
An .htaccess with:
php_flag register_globals Off
can sometimes help.
You can test, whether all variables are declared properly by turning the PHP log-level in PHP.INI to
error_reporting = E_ALL
Your code snippet now should generate a NOTICE.
At some point in php's history they made the controversial decision to turn off register_globals by default as it was a huge security hazard. It gives anyone the potential to inject variables in your code, create unthinkable consequences! This "feature" is even removed in php6
If you notice that it's on contact your administrator to turn it off.