Article Discussion: Some PHP Guidelines to Live By...

Some PHP Guidelines to Live By... If you have any questions or comments about this article then please post them here.

You can read the article here .

Yes i have a question about this article. First of all a very good article, thanks to the author.

Secondly when you talk about sessions, i am kind of lost here. Since Ben also made a session script for login/logout. I dont understand what exactly do you mean by using this line makes it more efficient $_SESSION['username'] = $_POST['uname'];

What I understand is if you have many session variables, when you want to empty or blank out these variables, you have to do one by one for each variable in the old way:
unset('$var1') ; unset('$var2')... what if you forgot one of them?

But the new way, with $_SESSION variables, you can empty the whole array without worrying about you forget one of them with just one line:
$_SESSION = array();
or unset the whole array:
unset ($_SESSION);

and it's good to avoid the confusion, is a var is a session var, or a post var, or a get var?
I read an article at another site that the new method is more secure...

Correct me if I'm wrong.

John

Have you done any speed tests for this article? I remember someone on another forum did one for the ' and ", and found that you would have to use 10,000 instances of ' and " for it to even make a difference.

Several errors in this article:

While using single quotes is a good thing, doing




isn't good either. PHP has to concatenate together the two strings first, then prints it out. Rather:



works just as well. Instead of a dot, it uses a comma. echo can accept variable parameters, so it still prints everything out, and is faster (not by much, but every little bit helps.

Their is also the contention that register_globals equalling off is more secure. That is false.

This:



is no more secure than this:



Using the $_POST or $_GET arrays (or their bretheren) isn't going to make your script more secure. They simply make it easier to make your script more secure.

Their is also the contention that mysql_fetch_array() returns two arrays? This is also false. A simple look in the php manual will tell you otherwise.

The other really does need to research a bit rather than make assumptions.

Again, the advantage of not using string cocatenation is minimal. With 10000 concatentations versus using echo with a comma, you save about 3 ms.

Not exactly a huge advantage.

Hadley

Yes, as I mentioned in my post.

Well, no - wrong. Take this for example ->

With register_globals on, any user can change all of these variables ->

$_GET
$_POST
$_COOKIE
$_SESSION

All with a simple query added to the url. So, if your script is using $_SESSION['user'] as a variable for a user name, anyone can simply type 'domain.com/script.php?user=new_user_name' in the address box and simply change the $_SESSION['user'] to whatever they want (that is why it is called register_globals) - all of the following variables ->

$_GET['user']
$_POST['user']
$_COOKIE['user']
$_SESSION['user']

Will be treated as $user and thus can be changed by the user using a simple query. With registered_globals turned to off you can't change $_SESSION, $_COOKIE or $_POST through a get string, you can only change the $_GET variable.

So, register_globals turned to off is very much more secure and something; turning it off by defualt in the ini is something that PHP should have done a long time ago.

Another thing with register_globals being 'on' (in respone to johnn's post) is the misleading documentation that is posted on php.net. To unset() a $_SESSION['variable'] with register_globals turned on, you must use unset() in global also ->

unset( $_SESSION['variable'] );

The above will not work with register_globals turned on (will only work for the running script and not others).

unset( $_SESSION['variable'], $variable );

The above will work with register_globals on.

unset( $_SESSION['variable'] );

Will work with register_globals off.

No, again, this is a myth. I am not contesting whether register_global should or should not have been turned off. Frankly, it doesn't matter to me, I write code with the consideration that it will be turned off.

Your contention that it's more secure because I can no longer change values for Sessions is somewhat correct. The problem is that most of the security problems that occured with register_globals on are poor programming from the beginning.

My contention was "simply switching from register_globals on to off would not increase security is true. Heck, even Rasmus agrees with that sentiment.

What register_globals on does is hopefully force the programmer to be more aware of what they are doing.

Also, in context with this article, it doesn't show in any way how register_globals off should be used. In fact, in the context of this article, it's used in exactly the same dangerous manner as was a problem before turning rg off.



That doesn't enhance security in any way. And if you tell you can't fake a $_POST value, then you need to rethink your security measures. A POST value is the same thing as a GET, except your average joe doesn't know how to change it.

register_globals off is a good thing, IMO, however, the contention of too many writers that it's the holy grail of PHP security is false sentiment.

Hi, I just read your article and found it really great and 1 point really interests me. That is the one about jumping in and out of PHP code to do html.

I have been trying to do this to display a pic and my bro decided to help (wasn't he nice) and we got it working this way:



I want to do it this way (especially after reading your article) but can't get it to work for some reason:



Any hints would be appreciated including directions to a tutorial on this as this is the really only relevant info I have found on this and can't find anything that will explain it to me as to why mine won't work.

Thanks for your time,
Gerbill

Hi Gerbill,
The space that you put after the <?php causes the problem. <?= has a special meaning. Not sure if <php= would work, but I would think so...
Try:
<img src="images/"<?=$pic?>".jpg">

Thanks for the input. I have tried this and right now it doesn't work. Not sure why... I have tried quite a few versions of that (using echo and print) and nothing seems to work. Thanks for the input though as it should work.

Gerbill