Module 2B
Receiving form Variables
1
Register_Globals?
 Since
PHP 4.2.1, the default PHP configuration
requires a different mechanism to receive input
for security reasons (than the one just shown)

PHP configuration option to turn
REGISTER_GLOBALS OFF (new default) or
ON in the php.ini configuration file.
 If
your site has REGISTER_GLOBALS OFF
you must use a different mechanism to receive
HTML Form Variables.
2
How can you tell if
Register_Globals is OFF?
 Enter


the following PHP script and run it.
<?PHP phpinfo(); ?>
Use m06/6-8checkPHPini.php
 Search
through the output for
REGISTER_GLOBALS and see if it is set to
OFF or ON.
 If it is off you may use the following ways to
receive input data.
3
Effects of register_globals

register_globals boolean



Tells whether or not to register the EGPCS
(Environment, GET, POST, Cookie, Server) variables
as global variables.
For example; if register_globals = on,
the url http://www.example.com/test.php?id=3 will
produce $id.
Or, $DOCUMENT_ROOT from
$_SERVER['DOCUMENT_ROOT'].
User data may clutter your PHP globals and even
become a security risk
4
Why REGISTER_GLOBALS OFF?

Security
<?php
// define $authorized = true only if user is authenticated
if (authenticated_user()) { $authorized = true; }
/* Because we didn't first initialize $authorized as false, this
might be defined through register_globals, like from GET
auth.php?authorized=1 So, anyone can be seen as
authenticated!
*/
if ($authorized) { include "/highly/sensitive/data.php"; }
?>
5
How do we get user variables?
As of PHP 4.2.0, this directive defaults to off
 It's preferred to go through PHP Predefined
Variables instead, such as the superglobals:
$_ENV, $_GET, $_POST, $_COOKIE, and
$_SERVER.
 Read the security chapter on Using
register_globals for related information
http://us3.php.net/import_request_variables

http://us3.php.net/manual/en/language.variables.external.php
6
Getting input data with
Register_Globals OFF? Method 1
 To
receive data with REGISTER_GLOBALS
OFF you use a special variable called $_POST

$name $_POST[‘name’];
Enclose in square
bracket and quotes (see next
slide)
Name of HTML form
variable (no $)
PHP SuperGlobal. Technically it is an
associative array
PHP variable name that you want to receive
the HTML form input.
7
Note on quotes around name
 You
may use single or double quotes
around the name of html form variable.
The following are both acceptable:


$name = $_POST[‘name’];
$name = $_POST[“name”];
8
When REGISTER_GLOBALS is OFF
 Suppose

your HTML form uses the following:
Enter email address: <input type="text" size="16"
maxlength="20" name="email">
 Then
can receive input as follows:
1. <html>
2. <head><title> Receiving Input </title> </head>
3. <body>
4. <?php $email = $_POST[‘email’]; // Note Single Quote
5. $contact = $_POST[‘contact’]; ?>
6. <h2>Thank You: Got Your Input.</h2>
7. <?php
8.
print ("<br>Your email address is $email");
9.
print ("<br> Contact preference is $contact");
9
10. ?>
A Full Example ...
The previous code can be executed at
http://cs346.cs.uwosh.edu/huen/m06/6-0form_global_off.htm and
http://cs346.cs.uwosh.edu/huen/m06/6-0form_global_off.php
And text at
http://cs346.cs.uwosh.edu/huen/m06/6-0form_global_off.php.txt
10
Method 2:


Recommended by php to handle GET/POST/Cookie
variables into the global scope
Use the function
bool import_request_variables ( string types [, string prefix])
types parameter specifies which request variables to import
'G', 'P' and 'C' characters respectively for GET, POST and
Cookie
Order matters. If types ==“gp”, POST variables overwrite
GET variables
11
Method 2:
import_request_variables

bool import_request_variables ( string types [,
string prefix])

prefix parameter is used as a variable name
prefix, prepended before all variable's name
imported into the global scope
 So if you have a GET value named "userid", and
provide a prefix "pref_", then you'll get a global
variable named $pref_userid.

Reference:
http://us3.php.net/import_request_variables
12
<html>
<head><title> Receiving Input </title> </head>
<body>
<font size=5>Thank You: Got Your Input.</font>
<?php
/* The following is recommended by php to handle GET/POST/Cookie
variables into the global scope.
Reference: http://us3.php.net/import_request_variables
*/
import_request_variables("gp", "form27_");
print ("<br>Your email address is $form27_email");
print ("<br> Contact preference is $form27_contact");
?>
</body>
</html>
13
Full Example
The previous code can be
executed at
http://cs346.cs.uwosh.edu/huen/m06/6-0form_2nd_global.html
and text at
http://cs346.cs.uwosh.edu/huen/m06/6-0form_2nd_global.php.txt
14
Third way
 If

html form uses post
<form method = "post" action = "form.php">
 Use

in form.php
extract( $_POST );
 Example:
 Fig_23_12_13
of textbook
15
Summary
 PHP
supports both numeric and string
variables.
 String variables use different methods for
value manipulation (for example,
concatenation) than numeric variables do
16
Summary

Use HTML forms to pass data to PHP scripts


HTML form elements include text boxes, text areas,
password boxes, check boxes, radio buttons, and
selection lists.
PHP scripts can receive form element input
values by using a PHP variable name that
matches the one specified in the form element’s
name argument.

If RESITER_GLOBALS is off in your installation you
must get input data using $_POST[“var_name”];
17