ID: 19527 Updated by: [EMAIL PROTECTED] Reported By: [EMAIL PROTECTED] -Status: Closed +Status: Bogus Bug Type: *Web Server problem Operating System: Red Hat 7.2 linux PHP Version: 4.2.3 New Comment:
Setting the status to "bogus", as this was not a real bug after all. Derick Previous Comments: ------------------------------------------------------------------------ [2002-09-20 12:15:13] [EMAIL PROTECTED] Thanks very much for the quick reply. I use the phpinfo() to check the location and setting and found it would have helped if I had changed php.ini-dist to php.ini in /usr/local/lib. Thanks for the tool to assist me with diagnosing issues prior to submitting them. ------------------------------------------------------------------------ [2002-09-20 11:48:31] [EMAIL PROTECTED] This is normally caused by register_globals being off. Are you sure this is the php.ini file that PHP uses? (Check the location in the output of phpinfo(); , it's at the top somewhere). Derick ------------------------------------------------------------------------ [2002-09-20 11:46:32] [EMAIL PROTECTED] The variables from a http get do not get translated in to internal php variables. I was trying to install a php program that relied on this feature. I created a small program to simulate it. Redhat7.2 Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ss l/2.8.4 OpenSSL/0.9.6b DAV/1.0.2 PHP/4.2.3 mod_perl/1.24_01 4.2.3 was build with apache & mysql (per php.net web site) ->http url url http://10.0.0.1/index.php?menuAction=then&test3=now ->produces 4.2.3 test1= test2=then test3= test4=menuAction=then&test3=now http_get menuAction=then http_get test3=now ->PROGRAM <html><head><title>PHP Test</title></head> <body> <?php echo phpversion()."<p>"; print("test1="); echo $menuAction; print("<p>test2="); echo $_GET['menuAction']; print("<p>test3=$test3"); print("<p>test4="); echo $_SERVER['QUERY_STRING']; print("<p>"); foreach ($_GET as $get_array => $get_vars) { print("http_get $get_array=$get_vars<p>"); } print("<p>"); foreach ($_POST as $post_array => $post_vars) { print("http_post $post_array=$post_vars<p>"); } ?> </body></html> ->php.ini (partial) ; ;open_basedir = ; Setting certain environment variables may be a potential security breach. ; This directive contains a comma-delimited list of prefixes. In Safe Mode, ; the user may only alter environment variables whose names begin with the ; prefixes supplied here. By default, users will only be able to set ; environment variables that begin with PHP_ (e.g. PHP_FOO=BAR). ; ; Note: If this directive is empty, PHP will let the user modify ANY ; environment variable! safe_mode_allowed_env_vars = PHP_ ; This directive contains a comma-delimited list of environment variables that ; the end user won't be able to change using putenv(). These variables will be ; protected even if safe_mode_allowed_env_vars is set to allow to change them. safe_mode_protected_env_vars = LD_LIBRARY_PATH ; This directive allows you to disable certain functions for security reasons. ; It receives a comma-delimited list of function names. This directive is ; *NOT* affected by whether Safe Mode is turned On or Off. disable_functions = ; Colors for Syntax Highlighting mode. Anything that's acceptable in ; <font color="??????"> would work. highlight.string = #CC0000 highlight.comment = #FF9900 highlight.keyword = #006600 highlight.bg = #FFFFFF highlight.default = #0000CC highlight.html = #000000 ; ; Misc ; ; Decides whether PHP may expose the fact that it is installed on the server ; (e.g. by adding its signature to the Web server header). It is no security ; threat in any way, but it makes it possible to determine whether you use PHP ; on your server or not. expose_php = On ;;;;;;;;;;;;;;;;;;; ; Resource Limits ; ;;;;;;;;;;;;;;;;;;; max_execution_time = 30 ; Maximum execution time of each script, in seconds memory_limit = 8M ; Maximum amount of memory a script may consume (8MB) ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ; Error handling and logging ; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ; error_reporting is a bit-field. Or each number up to get desired error ; reporting level ; E_ALL - All errors and warnings ; E_ERROR - fatal run-time errors ; E_WARNING - run-time warnings (non-fatal errors) ; E_PARSE - compile-time parse errors ; E_NOTICE - run-time notices (these are warnings which often result ; from a bug in your code, but it's possible that it was ; intentional (e.g., using an uninitialized variable and ; relying on the fact it's automatically initialized to an ; empty string) ; E_CORE_ERROR - fatal errors that occur during PHP's initial startup ; E_CORE_WARNING - warnings (non-fatal errors) that occur during PHP's ; initial startup ; E_COMPILE_ERROR - fatal compile-time errors ; E_COMPILE_WARNING - compile-time warnings (non-fatal errors) ; E_USER_ERROR - user-generated error message ; E_USER_WARNING - user-generated warning message ; E_USER_NOTICE - user-generated notice message ; ; Examples: ; ; - Show all errors, except for notices ; ;error_reporting = E_ALL & ~E_NOTICE ; ; - Show only errors ; ;error_reporting = E_COMPILE_ERROR|E_ERROR|E_CORE_ERROR ; ; - Show all errors except for notices ; error_reporting = E_ALL & ~E_NOTICE ; Print out errors (as a part of the output). For production web sites, ; you're strongly encouraged to turn this feature off, and use error logging ; instead (see below). Keeping display_errors enabled on a production web site ; may reveal security information to end users, such as file paths on your Web ; server, your database schema or other information. display_errors = On ; Even when display_errors is on, errors that occur during PHP's startup ; sequence are not displayed. It's strongly recommended to keep ; display_startup_errors off, except for when debugging. display_startup_errors = Off ; Log errors into a log file (server-specific log, stderr, or error_log (below)) ; As stated above, you're strongly advised to use error logging in place of ; error displaying on production web sites. log_errors = Off ; Store the last error/warning message in $php_errormsg (boolean). track_errors = Off ; Disable the inclusion of HTML tags in error messages. ;html_errors = Off ; String to output before an error message. ;error_prepend_string = "<font color=ff0000>" ; String to output after an error message. ;error_append_string = "</font>" ; Log errors to specified file. ;error_log = filename ; Log errors to syslog (Event Log on NT, not valid in Windows 95). ;error_log = syslog ;;;;;;;;;;;;;;;;; ; Data Handling ; ;;;;;;;;;;;;;;;;; ; ; Note - track_vars is ALWAYS enabled as of PHP 4.0.3 ; The separator used in PHP generated URLs to separate arguments. ; Default is "&". ;arg_separator.output = "&" ; List of separator(s) used by PHP to parse input URLs into variables. ; Default is "&". ; NOTE: Every character in this directive is considered as separator! ;arg_separator.input = ";&" ; This directive describes the order in which PHP registers GET, POST, Cookie, ; Environment and Built-in variables (G, P, C, E & S respectively, often ; referred to as EGPCS or GPC). Registration is done from left to right, newer ; values override older values. variables_order = "EGPCS" ; Whether or not to register the EGPCS variables as global variables. You may ; want to turn this off if you don't want to clutter your scripts' global scope ; with user data. This makes most sense when coupled with track_vars - in which ; case you can access all of the GPC variables through the $HTTP_*_VARS[], ; variables. ; ; You should do your best to write your scripts so that they do not require ; register_globals to be on; Using form variables as globals can easily lead ; to possible security problems, if the code is not very well thought of. ; register_globals = Off register_globals = On ; This directive tells PHP whether to declare the argv&argc variables (that ; would contain the GET information). If you don't use these variables, you ; should turn it off for increased performance. register_argc_argv = On ; Maximum size of POST data that PHP will accept. post_max_size = 8M ; This directive is deprecated. Use variables_order instead. gpc_order = "GPC" ; Magic quotes ; ; Magic quotes for incoming GET/POST/Cookie data. magic_quotes_gpc = On ; Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc. magic_quotes_runtime = Off ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=19527&edit=1
