Home > Archive > PHP DB > April 2004 > Re: [PHP-DB] converting scripts for register_globals=Off
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Re: [PHP-DB] converting scripts for register_globals=Off
|
|
| Mikael grön 2004-04-29, 9:59 am |
| What register_globals does (Please correct me if I'm wrong) is convert=20=
i.e. $_POST['variable_name'], $_GET['variable_name'] and so on to=20
$variable_name. which isn't very good from my point of view.
I suggest you make sure you use $_GET['your_variable'] when ever you're=20=
fetching a GET variable, $_POST['var'] for all post variables and so=20
on, instead of what you're doing now.
This works just fine with register_globals =3D On as well, so I always=20=
use it... to be safe..
Mike
On Apr 29, 2004, at 10:40, Kim Jacobs (Crooks) - Mweb wrote:
> if any of you could help me out, I would greatly appreciate it... I am=20=
> an absolute beginner to php (2 w s now) and dont know what I dont=20
> know...
>
> I have written some scripts to access my online SQL db and I've tested=20=
> the scripts on my machine with PHP 4.3.6 and register_globals =3D On
> Now where I host my site, uses PHP 4.3.5 and has register_globals =3D=20=
> Off which means of course, that my scripts arent working, but I dont=20=
> know why....
>
> My question is, how do I convert my scripts so that they will work=20
> please? I know that $id and $submit are two of the 'inputs' that it=20
> doesnt like, but I dont know the rest
>
> Tx
> K
>
> =A0
> MWEB: S.A.'s most trusted and reliable Internet Service Provider. Just=20=
> Like That.
>
> To join, go to: http://join.mweb.co.za or call 0860032000.
>
> --
> PHP Database Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
| |
| Ignatius Reilly 2004-04-30, 1:03 am |
| even better:
$_REQUEST['variable_name']
so that you don't have to bother checking both depending on whether your
form was GETted or POSTed.
_________________________
----- Original Message -----
From: "Mikael Grön" <emgee@cwazy.co.uk>
To: "Kim Jacobs (Crooks) - Mweb" <KJacobs@mweb.com>; <php-db@lists.php.net>
Sent: Thursday, April 29, 2004 11:54 AM
Subject: Re: [PHP-DB] converting scripts for register_globals=Off
What register_globals does (Please correct me if I'm wrong) is convert
i.e. $_POST['variable_name'], $_GET['variable_name'] and so on to
$variable_name. which isn't very good from my point of view.
I suggest you make sure you use $_GET['your_variable'] when ever you're
fetching a GET variable, $_POST['var'] for all post variables and so
on, instead of what you're doing now.
This works just fine with register_globals = On as well, so I always
use it... to be safe..
Mike
On Apr 29, 2004, at 10:40, Kim Jacobs (Crooks) - Mweb wrote:
> if any of you could help me out, I would greatly appreciate it... I am
> an absolute beginner to php (2 ws now) and dont know what I dont
> know...
>
> I have written some scripts to access my online SQL db and I've tested
> the scripts on my machine with PHP 4.3.6 and register_globals = On
> Now where I host my site, uses PHP 4.3.5 and has register_globals =
> Off which means of course, that my scripts arent working, but I dont
> know why....
>
> My question is, how do I convert my scripts so that they will work
> please? I know that $id and $submit are two of the 'inputs' that it
> doesnt like, but I dont know the rest
>
> Tx
> K
>
>
> MWEB: S.A.'s most trusted and reliable Internet Service Provider. Just
> Like That.
>
> To join, go to: http://join.mweb.co.za or call 0860032000.
>
> --
> PHP Database Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
| |
| Peter Lovatt 2004-04-30, 1:03 am |
| Hi
There are three main types of data passed by the browser - GET POST and
COOKIE.
php creates an array for each type, so what is $id now would also be
$_GET["id"] or $_POST["id"]
There is also $_REQUEST which is a combination of $_GET and $_POST so
$_REQUEST["id"] will also work.
If it were a cookie value it would be $_COOKIE["id"]
When register_globals is off $id will not be defined and only the above
arrays will be usable.
It is generally better practice to use the arrays anyway, so I would suggest
using them all the time.
HTH
Peter
> -----Original Message-----
> From: Kim Jacobs (Crooks) - Mweb [mailto:KJacobs@mweb.com]
> Sent: 29 April 2004 10:40
> To: php-db@lists.php.net
> Subject: [PHP-DB] converting scripts for register_globals=Off
>
>
> if any of you could help me out, I would greatly appreciate it...
> I am an absolute beginner to php (2 ws now) and dont know what
> I dont know...
>
> I have written some scripts to access my online SQL db and I've
> tested the scripts on my machine with PHP 4.3.6 and register_globals = On
> Now where I host my site, uses PHP 4.3.5 and has register_globals
> = Off which means of course, that my scripts arent working, but I
> dont know why....
>
> My question is, how do I convert my scripts so that they will
> work please? I know that $id and $submit are two of the 'inputs'
> that it doesnt like, but I dont know the rest
>
> Tx
> K
>
> _
> MWEB: S.A.'s most trusted and reliable Internet Service Provider.
> Just Like That.
>
> To join, go to: http://join.mweb.co.za or call 0860032000.
>
> --
> PHP Database Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
| |
| Mikael grön 2004-04-30, 1:03 am |
| Since I have a thing for using one file for all things in i.e. an admin=20=
script, I use POST and GET variables at the same time. Getting them=20
mixed up is extremely hazardous.. I do stuff like:
<a href=3D"admin.php?action=3Ddelete&id=3D2">Delete post</a>
which leads to the section of the admin script;
<?php
if ($_GET['action'] =3D=3D "delete" && $_GET['id']) {
// lots of PHP doing lots of stuff
} else {
// the link
}
?>
Now, if there's a POST variable named ID containing an INT matching the=20=
database, and I use $_REQUEST instead of $_GET, I'm in trouble!
Mike
On Apr 29, 2004, at 11:00, Ignatius Reilly wrote:
> even better:
> $_REQUEST['variable_name']
>
> so that you don't have to bother checking both depending on whether=20
> your
> form was GETted or POSTed.
>
> _________________________
> ----- Original Message -----
> From: "Mikael Gr=F6n" <emgee@cwazy.co.uk>
> To: "Kim Jacobs (Crooks) - Mweb" <KJacobs@mweb.com>;=20
> <php-db@lists.php.net>
> Sent: Thursday, April 29, 2004 11:54 AM
> Subject: Re: [PHP-DB] converting scripts for register_globals=3DOff
>
>
> What register_globals does (Please correct me if I'm wrong) is convert
> i.e. $_POST['variable_name'], $_GET['variable_name'] and so on to
> $variable_name. which isn't very good from my point of view.
>
> I suggest you make sure you use $_GET['your_variable'] when ever =
you're
> fetching a GET variable, $_POST['var'] for all post variables and so
> on, instead of what you're doing now.
> This works just fine with register_globals =3D On as well, so I always
> use it... to be safe..
>
> Mike
>
>
> On Apr 29, 2004, at 10:40, Kim Jacobs (Crooks) - Mweb wrote:
>
am[color=darkred]
tested[color=darkred]
Just[color=darkred]
>
> --
> PHP Database Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
>
| |
| Ignatius Reilly 2004-04-30, 1:03 am |
| If your form is well designed, there should NOT be another POST variable
named "ID" or "id" used for a different purpose.
Your form data validation routine will examine the 2-uple ( action, id), not
"id" alone. therefore no problem.
In many cases I find it convenient to design a page so that it can be called
indifferently by POST or GET.
Just my 2 Belgian francs.
Ignatius
_________________________
----- Original Message -----
From: "Mikael Grön" <emgee@cwazy.co.uk>
To: <php-db@lists.php.net>
Sent: Thursday, April 29, 2004 12:42 PM
Subject: Re: [PHP-DB] converting scripts for register_globals=Off
Since I have a thing for using one file for all things in i.e. an admin
script, I use POST and GET variables at the same time. Getting them
mixed up is extremely hazardous.. I do stuff like:
<a href="admin.php?action=delete&id=2">Delete post</a>
which leads to the section of the admin script;
<?php
if ($_GET['action'] == "delete" && $_GET['id']) {
// lots of PHP doing lots of stuff
} else {
// the link
}
?>
Now, if there's a POST variable named ID containing an INT matching the
database, and I use $_REQUEST instead of $_GET, I'm in trouble!
Mike
On Apr 29, 2004, at 11:00, Ignatius Reilly wrote:
> even better:
> $_REQUEST['variable_name']
>
> so that you don't have to bother checking both depending on whether
> your
> form was GETted or POSTed.
>
> _________________________
> ----- Original Message -----
> From: "Mikael Grön" <emgee@cwazy.co.uk>
> To: "Kim Jacobs (Crooks) - Mweb" <KJacobs@mweb.com>;
> <php-db@lists.php.net>
> Sent: Thursday, April 29, 2004 11:54 AM
> Subject: Re: [PHP-DB] converting scripts for register_globals=Off
>
>
> What register_globals does (Please correct me if I'm wrong) is convert
> i.e. $_POST['variable_name'], $_GET['variable_name'] and so on to
> $variable_name. which isn't very good from my point of view.
>
> I suggest you make sure you use $_GET['your_variable'] when ever you're
> fetching a GET variable, $_POST['var'] for all post variables and so
> on, instead of what you're doing now.
> This works just fine with register_globals = On as well, so I always
> use it... to be safe..
>
> Mike
>
>
> On Apr 29, 2004, at 10:40, Kim Jacobs (Crooks) - Mweb wrote:
>
>
> --
> PHP Database Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
>
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
| |
| John W. Holmes 2004-04-30, 1:03 am |
| From: "Kim Jacobs (Crooks) - Mweb" <KJacobs@mweb.com>
> I have written some scripts to access my online
> SQL db and I've tested the scripts on my machine
> with PHP 4.3.6 and register_globals = On
> Now where I host my site, uses PHP 4.3.5 and has
> register_globals = Off which means of course, that
> my scripts arent working, but I dont know why....
>
> My question is, how do I convert my scripts so that they
> will work please? I know that $id and $submit are two
> of the 'inputs' that it doesnt like, but I dont know the rest
If your program is well written, you can get away with just switching $id
for $_REQUEST['id'].
This is assuming you already properly validate and sanitize all of the data
coming from the user. Using $_REQUEST['id'] doesn't make anything more or
less secure, it's a matter of what you're doing with the data coming from
the user.
---John Holmes...
| |
| jeffreyb@ungodly.com 2004-04-30, 5:00 pm |
| If you have already have a number of scripts and, especially, if you are doing
things with the variables inside the script (in other words, the variables
appear more than once), it can be more convenient to convert at the top of
each page, eg:
$id = $_REQUEST['id'];
$this = $_REQUEST['this'];
$that = $_SERVER['that'];
etc...
Jeffrey Baumgartner
Date sent: Thu, 29 Apr 2004 11:40:14 +0200
From: "Kim Jacobs (Crooks) - Mweb"
<KJacobs@mweb.com>
To: <php-db@lists.php.net>
Subject: [PHP-DB] converting scripts for register_globals=Off
> if any of you could help me out, I would greatly appreciate it... I am
> an absolute beginner to php (2 ws now) and dont know what I dont
> know...
>
> I have written some scripts to access my online SQL db and I've tested
> the scripts on my machine with PHP 4.3.6 and register_globals = On Now
> where I host my site, uses PHP 4.3.5 and has register_globals = Off
> which means of course, that my scripts arent working, but I dont know
> why....
>
> My question is, how do I convert my scripts so that they will work
> please? I know that $id and $submit are two of the 'inputs' that it
> doesnt like, but I dont know the rest
>
> Tx
> K
>
> _
> MWEB: S.A.'s most trusted and reliable Internet Service Provider. Just
> Like That.
>
> To join, go to: http://join.mweb.co.za or call 0860032000.
>
> --
> PHP Database Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
|
|
|
|
|