3

I am desiging a new website for my company and I am trying to implement switch navigation which is what I have used on all my sites in the past.

<?php
switch($x) {

default:
include("inc/main.php");
break;

case "products":
include("inc/products.php");
break;

}
?>

For some reason when I go to index.php?x=products nothing happens, it still displays inc/main.php, in other words it hasn't detected the X variable from the URL. Is this something to do with global variables?

zuk1
  • 18,009
  • 21
  • 59
  • 63
  • If it's a big site, you should consider using a framework such as CodeIgniter - it will do a lot of this kind of work for you. Don't reinvent the wheel, as they say :) –  Nov 03 '08 at 11:42

4 Answers4

16

Yes, your PHP configuration has correctly got register_globals turned off, because that's incredibly insecure.

Just put:

$x = $_REQUEST['x']

at the top of your script.

You can also use $_GET if you specifically only want this to work for the GET HTTP method. I've seen some people claim that $_REQUEST is somehow insecure, but no evidence to back that up.

Alnitak
  • 334,560
  • 70
  • 407
  • 495
  • It is better to use $_GET and not $_REQUEST ... $_REQUEST isn't as bad as register_globals but it still gives a bad smell. He knows he's using a URL var and presumably doesn't want cookies or POST parameters changing his view mode, so he should use $_GET, not $_REQUEST. – joelhardi Nov 03 '08 at 11:46
  • I have also heard it is insecure, but then I thought that why has nearly every webserver or hosting package I have ever payed for had it turned on? – zuk1 Nov 03 '08 at 11:46
  • To be more specific than "bad smell" (hate SO comment character limit), $_REQUEST is subject to XSS attacks, since cookies can be set client-side. – joelhardi Nov 03 '08 at 11:50
  • interesting - I had forgotton that $_REQUEST also includes cookies. However in this instance I don't see any risk. – Alnitak Nov 03 '08 at 11:54
  • @zuk1, it was enabled by default in PHP4, and lots of (bad) apps depended on it being turned on. PHP5 changed to off by default, but some hosts turn it back on for compatibility with the (bad) apps. Easier for them to do that than deal with customers like you asking them why my apps stopped working. – joelhardi Nov 03 '08 at 11:54
  • @Alnitak, OK, I dug up a talk that explains all sorts of $_REQUEST attacks more eloquently than I. :) http://www.slideshare.net/ZendCon/lesser-known-security-problems-in-php-applications-presentation – joelhardi Nov 03 '08 at 12:06
5

It seems like your previous webhosts all used register_globals and your code relies on that. This is a dangerous setting and was rightfully removed in PHP 6.0! Use switch($_GET['x']) { instead.

hangy
  • 10,765
  • 6
  • 43
  • 63
1

You should use $_GET to read out these variables. There is a deprecated function called register_globals, but I would definately not advise to use this, as it is a potential security risk.

Aron Rotteveel
  • 81,193
  • 17
  • 104
  • 128
0

You can use http://php.net/manual/es/function.extract.php to extract the variables if you want to do it, but keep in mind this lets any user set variables with the content they want in your script, which makes it as insecure as using register_globals

rafa
  • 326
  • 3
  • 9