Environmental Variables

All environmental variables passed to a script are placed by the interpreter into the $HTTP_ENV_VARS array. The format of this array is different on different computers. In Windows, environmental variables can be checked by executing the set command in the command line; in UNIX-like systems, environmental variables can be viewed by executing the env command.

You can find the following PHP environmental variables of use:

• $DOCUMENT_ROOT — The path to the document root directory of the currently executing script on the server.
• $SCRIPT_FILENAME — The current script's path.
• $SERVER_ADDR – The address of the IP server on which the current script is executing.
• $SERVER_PORT — The server port used by the web server for communication.

Parameter Passing

Static web pages are a rarity nowadays. Practically any more or less big web site asks for some data from the users. The data supplied by the users are passed as parameters to the specified script using HTML forms. The following example shows how to create a form for entering a user name:

The <form> tag takes the following two parameters:

• Action — Specifies the name or the complete URL to the script file to which the form parameters are to be passed.
• Method — The method used to pass the parameters. There are two methods for doing this: get and post. We will consider in detail both of these methods, as you should have clear understanding of how they work.

The GET Method

When the GET method is used, all the parameters that are passed to the script are placed into global variables. In addition, they are also placed into the $HTTP_GET_VARS array, or $_GET for short. But there is more to come. The parameters are also displayed in the browser's URL field. Thus, when the above example code with passing name and password parameters is executed, the URL will change to this: http://192.168.77.1/param.php?UserName=Flenov&Password=qwerty.That is, the original URL is appended with a question sign followed by the parameters passed in the parameter_name=parameter_value format and delimited by the ampersand (&).

How safe do you think this method is? Good thinking! Any of the parameters can be easily changed manually without even changing the form's source code. When developing scripts you should make it as hard as possible for hackers to be able to be able manipulate parameters. For example, do not use the GET method to transmit passwords, because it can be easily intercepted.

Another problem with this method is its openness. Consider the password example again. When a user enters a password via this method, the password will be displayed in the browser's URL field. Anyone passing by at this time can see this password in there.