Reputation:

PHP $_GET not declared

At my workplace, we have used a piece of code stored a remote server to do our Clickbank searches. Now my boss has decided to move everything over to our servers and has given lucky (heh) me the job to do it.

Now, I always thought that an $_GET variable needs to be declared within the local scope: $var = $_GET['var']; but in this code, it seems that the original programmer has just inserted the line right in, he's using $var in the code without declaring it... how is that possible?

Upvotes: 0

Answers (2)

acme

Reputation: 14856

It's probably because the php setting register_globals is set.

This means, a $_GET['foo'] is automatically available as $foo in your code.

See more about it here:

http://www.php.net/manual/en/ini.core.php#ini.register-globals

Basically this is a very big security hole and should be avoided.

Additionally it's deprecated since 5.3 and will be removed in 5.4.

Upvotes: 0

Andy Baird

Reputation: 6208

It sounds like register globals is turned on. Register globals scopes all request variables locally, so that would be possible. It's also a very insecure feature that has been deprecated in PHP since version 5.3.

I would strongly recommend turning register_globals off and declaring locally scoped variables manually so you can properly deal with sanitizing and filtering of incoming data.

More on register_globals and why it is a bad idea at the official PHP documentation: http://php.net/manual/en/security.globals.php

Upvotes: 4

PHP $_GET not declared

Answers (2)

Related Questions