main.php?var=newsub

[prudens]

Hey

http://localhost/main.php?var=newsub&subvar=2

 

How do I retrieve the $var, and $subvar in main.php?

 

[shocker-z]

$_GET['var'] and $_GET['subvar']

 

 

will do the treat remember to strip charactors out which could cause vunrabilities.

 

Regards

Liam

[prudens]

thanks, but what do you mean by strip??

[prudens]

also... it doesn't work 

 

It's not from a form or anything...

[prudens]

$type = $_GET['type'];
$id   = $_GET['id'];

if ($type = "aaa")
{
echo "Yes!";
}
elseif ($type = "ddd")
{
echo "none";
}

 

main.php?type=ddd

 

It keep prints "Yes!"

[shocker-z]

$type = $_GET['type'];
$id   = $_GET['id'];

if ($type == "aaa")
{
echo "Yes!";
}
elseif ($type == "ddd")
{
echo "none";
}

 

You had single = which mean if $type has been successfully set to "aaa" then echo yes! what you wanted is if $type already equal to aaa by using ==

 

by strip i mean if you are planning to echo back a variable from PSOT or GET then make sure you remove unsave charactors which can be used for injection and cross site linking.

 

regards

Liam

 

Regards

Liam

[prudens]

can you show me an example of strip?

[shocker-z]

addslashes() is a start as this will add backslashes to ' and " therefore stopping people from ending 1 eliment and starting another.

 

It all depends as to what your doing with the variables and also how secure your site needs to be.

 

for example i display status messages using switch

switch($_GET['status']) {
  case 1:
    echo 'Permissions denied'; 
  break;
  case 2:
    echo 'You are now logged in';
  break;
}

 

This means that im never actually echo'in the variable back and therefore no one can add extra code by somthing like the following.

 

http://somesite.com/login.php?status=<iframe src ="www.phpfreaks.com" width="100%"></iframe>

 

echo $status;

 

 

Hope this makes sence.

 

Reagrds

Liam

[prudens]

Thank you!