Download
1 / 17
170 likes | 311 Vues
Module 2B. Receiving form Variables. Register_Globals?. Since PHP 4.2.1, the default PHP configuration requires a different mechanism to receive input for security reasons (than the one just shown) PHP configuration option to turn REGISTER_GLOBALS OFF (new default) or
E N D
Module 2B Receiving form Variables
Register_Globals? • Since PHP 4.2.1, the default PHP configuration requires a different mechanism to receive input for security reasons (than the one just shown) • PHP configuration option to turn REGISTER_GLOBALS OFF (new default) or ON in the php.ini configuration file. • If your site has REGISTER_GLOBALS OFF you must use a different mechanism to receive HTML Form Variables.
How can you tell if Register_Globals is OFF? • Enter the following PHP script and run it. • <?PHP phpinfo(); ?> • Use m06/6-8checkPHPini.php • Search through the output for REGISTER_GLOBALS and see if it is set to OFF or ON. • If it is off you may use the following ways to receive input data.
Effects of register_globals • register_globalsboolean • Tells whether or not to register the EGPCS (Environment, GET, POST, Cookie, Server) variables as global variables. • For example; if register_globals = on, the url http://www.example.com/test.php?id=3 will produce $id. Or, $DOCUMENT_ROOT from $_SERVER['DOCUMENT_ROOT']. • User data may clutter your PHP globals and even become a security risk
Why REGISTER_GLOBALS OFF? • Security <?php // define $authorized = true only if user is authenticated if (authenticated_user()) { $authorized = true; } /* Because we didn't first initialize $authorized as false, this might be defined through register_globals, like from GET auth.php?authorized=1 So, anyone can be seen as authenticated! */ if ($authorized) { include "/highly/sensitive/data.php"; } ?>
How do we get user variables? • As of PHP 4.2.0, this directive defaults to off • It's preferred to go through PHP Predefined Variables instead, such as the superglobals: $_ENV, $_GET, $_POST, $_COOKIE, and $_SERVER. • Read the security chapter on Using register_globals for related information http://us3.php.net/import_request_variables http://us3.php.net/manual/en/language.variables.external.php
Getting input data with Register_Globals OFF? Method 1 • To receive data with REGISTER_GLOBALS OFF you use a special variable called $_POST • $name $_POST[‘name’]; Enclose in square bracket and quotes (see next slide) Name of HTML form variable (no $) PHP SuperGlobal. Technically it is an associative array PHP variable name that you want to receive the HTML form input.
Note on quotes around name • You may use single or double quotes around the name of html form variable. The following are both acceptable: • $name = $_POST[‘name’]; • $name = $_POST[“name”];
When REGISTER_GLOBALS is OFF • Suppose your HTML form uses the following: • Enter email address: <input type="text" size="16" maxlength="20" name="email"> • Then can receive input as follows: 1. <html> 2. <head><title> Receiving Input </title> </head> 3. <body> 4. <?php $email = $_POST[‘email’]; // Note Single Quote 5. $contact = $_POST[‘contact’]; ?> 6. <h2>Thank You: Got Your Input.</h2> 7. <?php 8. print ("<br>Your email address is $email"); 9. print ("<br> Contact preference is $contact"); 10. ?>
A Full Example ... The previous code can be executed at http://cs346.cs.uwosh.edu/huen/m06/6-0form_global_off.htm and http://cs346.cs.uwosh.edu/huen/m06/6-0form_global_off.php And text at http://cs346.cs.uwosh.edu/huen/m06/6-0form_global_off.php.txt
Method 2: • Recommended by php to handle GET/POST/Cookie variables into the global scope • Use the function bool import_request_variables ( string types [, string prefix]) types parameter specifies which request variables to import 'G', 'P' and 'C' characters respectively for GET, POST and Cookie Order matters. If types ==“gp”, POST variables overwrite GET variables
Method 2: import_request_variables • bool import_request_variables ( string types [, string prefix]) • prefix parameter is used as a variable name prefix, prepended before all variable's name imported into the global scope • So if you have a GET value named "userid", and provide a prefix "pref_", then you'll get a global variable named $pref_userid. • Reference: http://us3.php.net/import_request_variables
<html> <head><title> Receiving Input </title> </head> <body> <font size=5>Thank You: Got Your Input.</font> <?php /* The following is recommended by php to handle GET/POST/Cookie variables into the global scope. Reference: http://us3.php.net/import_request_variables */ import_request_variables("gp", "form27_"); print ("<br>Your email address is $form27_email"); print ("<br> Contact preference is $form27_contact"); ?> </body> </html>
Full Example The previous code can be executed at http://cs346.cs.uwosh.edu/huen/m06/6-0form_2nd_global.html and text at http://cs346.cs.uwosh.edu/huen/m06/6-0form_2nd_global.php.txt
Third way • If html form uses post • <form method = "post" action = "form.php"> • Use in form.php • extract( $_POST ); • Example: • Fig_23_12_13 of textbook
Summary • PHP supports both numeric and string variables. • String variables use different methods for value manipulation (for example, concatenation) than numeric variables do
Summary • Use HTML forms to pass data to PHP scripts • HTML form elements include text boxes, text areas, password boxes, check boxes, radio buttons, and selection lists. • PHP scripts can receive form element input values by using a PHP variable name that matches the one specified in the form element’s name argument. • If RESITER_GLOBALS is off in your installation you must get input data using $_POST[“var_name”];
