url query problem - setup ?? newbie 
Author Message
 url query problem - setup ?? newbie

I've just installed PHP for the first time, and been learning as I go.

*.php files work fine, as does accessing MY-SQL.
But I am unable to pass variables using URL Query String.

The HTML works fine, but when I click on the link, I end up with

"Notice: Undefined variable: name in c:\webpages\wel.php on line 2"

If I assign a value to name in the PHP then that value appears.
Is this a setup problem, or am I doing this the wrong way

TIA
Eric

Code below

HTML file starts
----
<A HREF="wel.php?name=kevin"> Kev click</a>
----
End HTML

PHP file starts (wel.php)
----
<?PHP
echo($name);
?>
----
End PHP



Mon, 27 Jun 2005 18:00:00 GMT  
 url query problem - setup ?? newbie
It's probably a configuration 'problem'.

PHP now defaults to not extracting get/post variables as a security
precaution. You will find that $_GET['name'] will be set for you but
not $name.

I recommend you use the $_GET and $_POST arrays instead of changing
the configuration. It is much more secure and it also makes it much
more obvious where the contents of those variables come from. You
need to be careful what you do with external values as you have no
control over what the web browser or user has put in them.

I wish php had taint checking like perl. That would mark such variables
as 'tainted' and not allow you to perform dangerous actions such as
system calls using them.

Kevin Thorpe



Mon, 27 Jun 2005 18:08:46 GMT  
 url query problem - setup ?? newbie

Quote:

> I've just installed PHP for the first time, and been learning as I go.

new versions of php need this : $_GET["name"] to access variable from url

--
--- --- --- --- --- --- ---



Mon, 27 Jun 2005 18:03:27 GMT  
 url query problem - setup ?? newbie
To clarify what I said in my previous post about dangerous variables.
If I have a php script to display someone's address:

<?php # address.php

   $name = $_GET['name'];

   $result = mysql_query("select address from addresses ".
                         "where name=\"$name\"");
   $row = mysql_fetch_assoc($result);
?>
<html>
<body>
<?=$address?>
</body>
</html>

This would be called via a URL similar to:
http://www.your.server.com/address.php?name=fred

The SQL query performed is:

select address from addresses where name="fred";

Now if I know that's what you are doing I can type into my browser (with
some fiddling of special characters):

http://www.your.server.com/address.php?name=fred" delete from addresses;

The SQL query then becomes:

select address from addresses where name="fred"; delete from addresses;

....and hey presto! all your addresses have vanished.

So be very careful what you do with $_GET and $_POST variables.

Kevin Thorpe



Mon, 27 Jun 2005 18:24:14 GMT  
 
 [ 4 post ] 

 Relevant Pages 

1. URL Query String Problem - Setup ?? - Newbie

2. Python quick setup URL for Linux setup?

3. silly newbie problem -- passing parameters via URL

4. OS/2 Querying setup strings on Directories?

5. Array to URL query string

6. MySQL query in PHP: Not query zero amounts also removes null amounts from query

7. setup.py breaks Modules/Setup.local

8. newbie query

9. awk95 newbie query

10. A number of queries from a newbie who isn't very clever

11. Another newbie query..

12. two more newbie queries

 

 
Powered by phpBB® Forum Software