The ability to transfer information from one script to another is essential to modern dynamic web pages. Usually, the scripts will use the well-known GET method for this purpose. For example, to
edit your personal information, PHP-Nuke calls the Your_Account module with an URL like:
http://www.yourdomain.com/modules.php?name=Your_Account&op=edituser
|
The "name" and "op" are so-called URL parameters and are passed to the modules.php script through the GET method. This is what happens besides the scenes:
The modules.php file includes mainfile.php, as practically every piece of PHP-Nuke code does, directly or indirectly (see Section
20.2, for blocks and Chapter 21, for modules). In mainfile.php, one of the first things that is checked, is whether you have register_globals set to OFF in
your php.ini:
if (!ini_get("register_globals")) {
import_request_variables('GPC');
}
|
If it is, the above code will call import_request_variables and import all GET variables (i.e. "name"
and "op" in the example) in the $_GET array. Using the types parameter, you can specify which request variables to import with import_request_variables . You can use 'G', 'P' and 'C' characters
respectively for GET, POST and Cookie, as in the example from mainfile.php above.
The code goes on to submit each variable in the $_GET array to a series of checks that should guard against any misuse of the parameters for cracking purposes (see Section 23.4.3), but this is not going to be pursued further here (see Section 23.1 for the security perspective on PHP-Nuke). We
are rather going to concentrate on a different aspect of URL parameter passing: the GET method of transferring parameters between scripts makes your web pages unfriendly for search engines - up to
the point that they may not be indexed at all!