Thanks James that works great

e.g.
$site=$_GET['site'];
$width=$_GET['width'];
$height=$_GET['height'];
$REFER=$_GET['REFER'];


>From Eric

----- Original Message -----
From: James Keeline <[EMAIL PROTECTED]>
To: <[email protected]>
Sent: Tuesday, September 06, 2005 3:35 AM
Subject: Re: [php-list] web page hit recorder


--- Eric Richards <[EMAIL PROTECTED]> wrote:

> However since the web server upgraded from PHP version 4.06 to 4.22 this
> feature no longer works and only records the time on record.txt.
> I was going to do a SQL database or something but I never got around to
it.
>
> From Eric
>
>
> here is the PHP____________________________________
> <?php
> $space="_";
> $hour= (Date("\nH:i:s d-n\t"));
> $size=$width."*".$height;
> $entry=$hour.$site.$space.$size.$space.$time.$space.$REFER;
> $fp=fopen("record.txt","a");
> fwrite($fp,$entry);
> fclose($fp);
> ?>


Your PHP script relies on a PHP configuration value register_globals being
in
the ON position.  With this form variables such as GET and POST, cookies,
and
server variables are copied and made available as local variables in your
PHP
script.

This can be risky because it allows someone to add form variables or GET
variables in the URL to set values of variables you never expected them to
be
able to change.

Older installations of PHP had register_globals "on" while newer ones have
it
"off."

The correct way to do this is to refer to the values from the URL variables
as
$_GET['site'] instead of $site (or $site=$_GET['site'] above the place where
you use it).

However, you are probably mainly interested in getting this short program
running without editing the php.ini file and without substantially rewriting
your program.  If you add this line to the program, local variables will be
created for everything coming in from GET.

extract($_GET);

I guess you mean version numbers 4.0.6 and 4.2.2 of PHP rather than 4.06 and
4.22.  Since you are using 4.2.0 or newer you can use an added feature to
improve the security.

If you want to restrict which variables can come in through GET (in this
case)
you can preset values for those variables:

$site=""; $size=""; $time=""; $REFER="";

This will place those variables in the local symbol table and this statement
will pull only variables and values from GET which are in the symbol table:

extract($_GET, EXTR_IF_EXISTS);

The second argument is a constant so spelling and capitalization count.

These statements should go at the top of your program before you do anything
which uses the values.

I'm sure you've discovered that the HTTP_REFERER is not very reliable and
doubly so for Javascript implementations which won't work if JS is turned
off
in a web browser visiting your site.

If your visitors "land" on a .php page you can use the
$_SERVER['HTTP_REFERER']
variable and it is not dependent on JS being on.

Using JS can be helpful for this kind of application because certain values,
such as the user's local time, screen size, color depth, etc. are only
available through JS.

James
_____


James D. Keeline
http://www.Keeline.com  http://www.Keeline.com/articles
http://Stratemeyer.org  http://www.Keeline.com/TSCollection

http://www.ITeachPHP.com -- Free Computer Classes: Linux, PHP, etc.
Fall Semester Begins Sep 7 -- New Classes Start Every Few Weeks.







------------------------ Yahoo! Groups Sponsor --------------------~--> 
Get Bzzzy! (real tools to help you find a job). Welcome to the Sweet Life.
http://us.click.yahoo.com/A77XvD/vlQLAA/TtwFAA/HKFolB/TM
--------------------------------------------------------------------~-> 

Community email addresses:
  Post message: [email protected]
  Subscribe:    [EMAIL PROTECTED]
  Unsubscribe:  [EMAIL PROTECTED]
  List owner:   [EMAIL PROTECTED]

Shortcut URL to this page:
  http://groups.yahoo.com/group/php-list 
Yahoo! Groups Links

<*> To visit your group on the web, go to:
    http://groups.yahoo.com/group/php-list/

<*> To unsubscribe from this group, send an email to:
    [EMAIL PROTECTED]

<*> Your use of Yahoo! Groups is subject to:
    http://docs.yahoo.com/info/terms/
 



Reply via email to