2

I've tried to look for an answer to this, but none of the other articles seem to answer it as clearly for me.

I have made a lot of code where there are string variables that are being used when users jump from page to page and they are being used after setting a global $string; type deal

What are some of the better solutions to pass a variable to be used on another page in terms of being most secure?

Is using global $strings a bad thing?

Ozair Kafray
  • 13,351
  • 8
  • 59
  • 84
Kalcoder
  • 291
  • 1
  • 6
  • 13

1 Answers1

2

Globals themselves won't allow you to keep variable values from page to page.

For that, you have to use as session mechanism (e.g. with $_SESSION PHP magic array).

For security & sessions, see:

Community
  • 1
  • 1
Maxime Pacary
  • 22,336
  • 11
  • 85
  • 113
  • What if for example though on one page I have $string = "a"; and then later on the same page I go include("anotherpage.php"); and on anotherpage.php I go global $string; ..... is there any risk there? is there a better way to pass the value through? my only concern is I have about 4 or 5 variables I pass on from page to page, is session ideal for that if there are multiple values? – Kalcoder Jul 02 '12 at 15:44
  • It's difficult to understand your concern: do you want to keep data across page loadings (several HTTP requests) or simply have access to a variable from your main PHP script in an 'included' script? – Maxime Pacary Jul 02 '12 at 16:21
  • Recently I have been going through what I have already coded and I am looking for any holes in security, that is to say, any way a hacker could compromise any data. Seems to be the consensus not to trust anything from a user, validate it, scrub the data, filter it etc. My concern is if I have a string I am calling globally such as global $string; from a new page is there anyway a hacker could compromise and exploit this in some way, change the string to something else in mid swing when a user jumps to a new page that refers to a global $string – Kalcoder Jul 02 '12 at 16:25
  • Thanks for your clarification. My answer: it depends on many things, but basically you are on the right way (never trust user input). Think about everything that could allow unwanted user output introduction, particularly the `register_globals` PHP setting (see http://www.php.net/manual/fr/ini.core.php#ini.register-globals) ; so dangerous that it has been purely *removed* from PHP 5.4. – Maxime Pacary Jul 02 '12 at 19:38