Is there a way to make it so a user can not define a variable from the query string in php4? (mainly $PHPSESSID)

eg. loading http://www.domain.com/index.php?PHPSESSID=123123 would not define PHPSESSID as 123123.

Thanks in advance for the help :)

Turn off register_globals...

That would disable ALL variables passed through the query string wouldn't it? I need to be able to specify certain variables, and limit others... Know of any way of doing this?

Thanks!

You mean the session id? Isn't that stored in the constant SID? There's multiple ways to access most values...

Ok, what I am trying to do is have a url like this:

http://www.domain.com/index.php?cmd=displayarticle&articleid=153

I want to be able to change the article id, and cmd from the query string, but do NOT want the user to be able to assign the $PHPSESSID variable like this:

http://www.domain.com/index.php?cmd=displayarticle&articleid=153&PHPSESSID=11ect

with my current script, when you load up the page, you can define any PHPSESSID you want so long as you put it in the query string the first time the page is loaded. (I can post the code here if needed)

How would I keep this from happening? (if that made any sense?) ;)

I've noticed that to avoid this, all you have to do is somewhere in the script set that variable equal to something else...then it can't be changed from the query string. As long as this setting of the variable takes place before the variable is printing, it will always show up as what you want it--not what was in the query string.

Go here:

http://www.niaad.com/demo.php?cmd=1&id=4



<?php

$id=5;

echo "<center>The CMD variable was $cmd. The ID variable was $id.</center>";

?>


CMD will change, depending on what you enter. ID, however, will always be 5, because that's what I set it as.

I don't know if this is exactly what you are looking for (as restrictions may prevent you from setting that variable equal to something), but hopefully this will give you a good idea...

[Edited by Niaad on 03-29-2001 at 09:32 PM]

Originally posted by Niaad
I've noticed that to avoid this, all you have to do is somewhere in the script set that variable equal to something else...then it can't be changed from the query string. As long as this setting of the variable takes place before the variable is printing, it will always show up as what you want it--not what was in the query string.

Go here:

http://www.niaad.com/demo.php?cmd=1&id=4



<?php

$id=5;

echo "<center>The CMD variable was $cmd. The ID variable was $id.</center>";

?>


CMD will change, depending on what you enter. ID, however, will always be 5, because that's what I set it as.

I don't know if this is exactly what you are looking for (as restrictions may prevent you from setting that variable equal to something), but hopefully this will give you a good idea...

[Edited by Niaad on 03-29-2001 at 09:32 PM]

Thats exactly what I am trying to do, but because $PHPSESSID is going to be different for everyone, I can not hard code it into the script :( How would I do that with a dynamic field?

$PHPSESSID=SID;