I commonly see people setting $_SESSION variables as
$_SESSION['example']=$_REQUEST['something'];
$example=$_SESSION['example'];
is this redundant?
I am currently working on a new server and
$_SESSION['example']=$_REQUEST['something'];
gives me access to $example without any extra code
is this normal or a php configuration making my life easier but potentially more dangerous?
This sounds like a php.ini directive called register_globals is on for the server you are working with. This is considered bad practice, and is even deprecated and removed in the latest releases of php. check out this portion of the php documentation for more details.
http://www.php.net/manual/en/security.globals.php
You should never trust the input provided by your users, and should sanitize it by removing or neutralizing characters that could be used for cross site scripting, injection attacks, or just crap data from getting into your session, cookies, or database.
check out the following to get up to speed.
http://www.codeassembly.com/How-to-sanitize-your-php-input/
http://www.phpbuilder.com/columns/sanitize_inc_php.txt
http://www.devshed.com/c/a/PHP/Sanitizing-Strings-with-Filters-in-PHP-5/
There is no difference in the first code and the second code. There seems to be a contingent that putting global variables into a local variable, makes them safe. But it's not.
You should treat anything that comes from user space. (POST, GET, REQUEST, COOKIE) like it is infected.
that only happens when "register_globals" is set to "on", which is not recommended!
