On Monday, April 22, 2002, at 03:47  PM, Andre Dubuc wrote:

> I tried what you suggested, and indeed globals are off. Perhaps my 
> problem
> stems from my use of the $_GET[] with $vars. I guess I don't really
> understand what I'm doing. If you would take a peek at this code [I 
> think
> I've introduced a security hole, and I'm mixing up things]:

I think the problem you're having is basically understanding what 
register_globals does, and why some people might want to turn it off.

register_globals takes a variable (doesn't matter if it's a server 
variable, a cookie variable, a post variable, or a get variable) and 
registers it as global throughout the script.  This means that if 
someone types


into the "Address" bar of her browser, she has just requested the 
"index.php" resource from the server at "www.domain.com" using the HTTP 
protocol and sent two variables to the server using the GET method:

$firstname = 'andre'
$lastname = 'dubuc'

If you have register_globals turned on, then your script can look like 

if ($firstname == 'andre' && $lastname == 'dubuc') {
   // do something

and it still works.  However, if you have register_globals turned off, 
then the above 'if test' won't work.  This is because these variables 
are not $firstname and $lastname, they are $_GET['firstname'] and 
$_GET['lastname'].  To do an 'if test' with register_globals off, you 
should do:

if ($_GET['firstname'] == 'andre' && $_GET['lastname'] == 'dubuc') {
   // do something

There's really not much of a difference.  The thing is that instead of 
being a global variable, the data that you passed is now an element of 
the $_GET array.  So you use the standard element notation, using the 
associative index of the variable name.

If you do this:

$firstname = $_GET['firstname'];
$lastname = $_GET['lastname'];

...you make your code simpler to understand, but be careful that you 
don't do something in the same script like

$lastname = $row['last_name'];

(which could happen if you were trying to simplify your MySQL result 

I'll take a look at what you've got....

> On page 1:
> <?php session_start(); ob_start(); ?>
> // ob_start(); so I can have html headers on this page & redirect later
> // some other code
> <form action="page2.php" method="get">
> <?php
> // The following line is where I think I've caused myself grief.
> <input type=text size=20 name=bozo>
> <input type=submit name=submit value="Agree">
> ?>

Yeah, I'd say you've caused yourself some grief.  This isn't even 
related to register_globals -- you've got two HTML input tags in the 
middle of your PHP block.  You need to print() or echo these, not just 
type them in directly.

print("<input type='text' size='20' name='bozo' />");
print("<input type='submit' name='submit' value='Agree'>");

> $bozo = $_GET['bozo'];
> /* Now is this correct? Am I exposing 'bozo'  to a security hole? For 
> the
> rest of the script, with each $_GET['var'] from the previous page I do 
> the
> same. Somehow, I don't think I've grasped what to do with $vars. From my
> reading elsewhere, should I, for example, in page 1 use something like
> :
>         <input type=text size=20 name="<?php  echo 
> $_SESSION['bozo'] ?>">

I prefer to do it the way that you have read elsewhere, but it really 
doesn't matter.  Either way, you have a variable in your script that 
points to some user-specified data.  What you've done is simplified the 
results, similar to what some people do when they pull data out of a 
result set with mysql_fetch_array().  The only security hole is if you 
have written your script to do something unsafe with the $bozo variable.

HOWEVER... bear in mind that now that you are referring to this variable 
in this fashion, you could end up inadvertently overwriting this 
variable with a new variable, by doing something like

$bozo = $row['bozo'];

  -- something that is far less likely to occur when referring to it as 

It really depends on how organized your code is.  If I were you, I would 
probably get into the habit of calling it $_GET['bozo'], since that just 
saves you time and stress in the long run.  The only security hole would 
be this:

$_SESSION['admin'] = 'yes'; // indicates that user is an administrator
$admin = $_SESSION['admin']; // simplify our variable name

if ($admin == 'yes') { // if user is an administrator
   // display some sensitive data

// for some stupid reason we do this
$admin = $_GET['admin']; // obviously you wouldn't do something like this

if ($admin == 'yes') {
   // display some sensitive data

Essentially, in the above code, you've given the value of a GET variable 
called "admin" the same power as a session variable called "admin".  
This is bad practice in general, and I'm sure you wouldn't make this 

Simply making $admin = $_SESSION['admin'] does NOT mean that someone can 
type "admin=yes" into the querystring and automatically become the 
admin, because register_globals is OFF -- this means that

$admin != $_GET['admin']

unless you set it so.

> Once I figure out how I'm supposed to write the variables in the 
> scripts,
> I'll be OK. But I'm so CONFUSED!  */
> if  ($bozo == "") die ("Please enter your 'First Name'. <br><br> Click
> 'Back" in your browser to enter this information.");

This is fine.

> /* This page is actually a confirmation page, I've tried to collect the 
> info
> from page 1 ($bozo) and page 2 ($dodo) and print them to screen as in */
> $bozo = $_GET['bozo'];
> $dodo = $_GET['dodo'];
> print $bozo $dodo;
> /* I've also tried $_SESSION['bozo'], $_GET['bozo'], left out the
> '$bozo = $_GET['bozo']' etc, etc, etc. -- I don't know what I'm doing
> here!! Help! !  */
> ?>

What seems to be the problem here?



Erik Price
Web Developer Temp
Media Lab, H.H. Brown

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to