Home > Archive > PHP Language > June 2007 > Register Globals
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
|
|
| Mr. Newt 2007-05-19, 9:58 pm |
| Hi y'all,
Is there a tutorial out there that shows how to write script that avoids
using "register globals?"
I'm doing lots of get and post commands and they seem to rely on globals, or
am I wrong?
Thanks.
Robert
| |
| Olaf Schinkel 2007-05-20, 10:00 pm |
| Hello!
"Mr. Newt" <lektrikpuke@_yahoo.com> schrieb im Newsbeitrag
news:86SdndqCZaXAEtLbnZ2dnUVZ_oipnZ2d@co
mcast.com...
> Hi y'all,
>
> Is there a tutorial out there that shows how to write script that avoids
> using "register globals?"
>
> I'm doing lots of get and post commands and they seem to rely on globals,
> or am I wrong?
Do you mean, you use the G&P Variables direkt?
(username is a variable, that comes with get and post
(....index.php?username=blabla ...)
if ($username) == ....
and not
if ($_GET['username']
or
if ($_POST['username']
or for both
if ($_REQUEST['username']
Olaf
| |
| Mr. Newt 2007-05-20, 10:00 pm |
|
"Olaf Schinkel" <trash@schinkel.tv> wrote in message
news:46500e1b$0$20285$9b4e6d93@newsspool
3.arcor-online.net...
> Hello!
>
> "Mr. Newt" <lektrikpuke@_yahoo.com> schrieb im Newsbeitrag
> news:86SdndqCZaXAEtLbnZ2dnUVZ_oipnZ2d@co
mcast.com...
>
> Do you mean, you use the G&P Variables direkt?
> (username is a variable, that comes with get and post
> (....index.php?username=blabla ...)
> if ($username) == ....
> and not
> if ($_GET['username']
> or
> if ($_POST['username']
> or for both
> if ($_REQUEST['username']
>
> Olaf
>
>
I read in the PHP ini file that one should try to write code that doesn't
require globals. An example of what I'm doing is: <FORM
ACTION="insert_data.php" METHOD=POST> Am I  ?
It appears I another problem in the PHP configuration (ini). It seems my
linux installation requires the default host defined.
I have this defined in my connect.php file. What is the deal?
Connect file as it stands:
<?php
$conn = mysql_connect("localhost", "user_name", "password");
mysql_select_db("dbase_name", $conn);
?>
Robert
| |
| Christoph Burschka 2007-05-22, 3:59 am |
|
> <FORM ACTION="insert_data.php" METHOD=POST>
That doesn't have anything to do with register_globals (although on a
side note, I'd generally advise <form action="insert_data.php"
method="post"> because it's both easier to read and compliant with
XHTML). Look at the insert_data.php script instead.
In insert_data.php, the form values you sent should be referenced like
this: $_POST['field1'], $_POST['field2'], etc.
If they're used directly as $field1, $field2, etc., your code is
depending on register_globals to work, and may be vulnerable to a
certain kind of injection attacks. Just replace $field1 with
$_POST['field1'], and it will be okay.
Of course, even a script that does not depend on register_globals is
only safe after register_globals is actually disabled.
--
Chris
| |
| Geoff Berrow 2007-05-22, 3:59 am |
| Message-ID: <5bfhohF2st8hqU1@mid.dfncis.de> from Christoph Burschka
contained the following:
>Of course, even a script that does not depend on register_globals is
>only safe after register_globals is actually disabled.
But the OP should not think the a script will be inherently safe with
register globals disabled. And it's perfectly possible to have a 'safe'
script with register globals enabled. Indeed, with some hosts, you have
no choice.
--
Geoff Berrow 0110001001101100010000000110
0011011010110110010001101111011001110010
11
1001100011011011110010111001110101011010
11
| |
| Robert 2007-05-22, 9:58 pm |
| Geoff Berrow wrote:
> Message-ID: <5bfhohF2st8hqU1@mid.dfncis.de> from Christoph Burschka
> contained the following:
>
>
> But the OP should not think the a script will be inherently safe with
> register globals disabled. And it's perfectly possible to have a 'safe'
> script with register globals enabled. Indeed, with some hosts, you have
> no choice.
>
Thanks guys. You got me over that hurdle. =)
Robert
| |
|
|
|
|
|
|
|
|
|
|
|