Re: [PHP] register globals not working
I have installed php v5 on a windowsXP PC. Server is Apache 2.2. Even though I have turned register globals on in the ini file, the php is still not allowing the use of $HTTP_GET_VARS (and probably other similier variables), and I am having to change my existing script to $_GET before they will run. Any idea why the directive is being ignored? Rodney Courtis On? Register globals is widely considered to be a security hazard. Ideally you should be using the $_GET etc variables instead. Anyhoo the $HTTP_*_VARS are (IIRC) controlled by the track_vars directive. So turn that on, restart Apache, and then try. -- Richard Heyes +44 (0)800 0213 172 http://www.websupportsolutions.co.uk Knowledge Base and HelpDesk software that can cut the cost of online support -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] register globals not working
Hi I have installed php v5 on a windowsXP PC. Server is Apache 2.2. Even though I have turned register globals on in the ini file, the php is still not allowing the use of $HTTP_GET_VARS (and probably other similier variables), and I am having to change my existing script to $_GET before they will run. Any idea why the directive is being ignored? Rodney Courtis
Re: [PHP] register globals not working
You're using the wrong option. Register globals is for the auto-creation of variables passed through GET, POST, etc. What you want is register_long_vars (or something like that, long variables, long arrays...) Chris Rodney Courtis wrote: Hi I have installed php v5 on a windowsXP PC. Server is Apache 2.2. Even though I have turned register globals on in the ini file, the php is still not allowing the use of $HTTP_GET_VARS (and probably other similier variables), and I am having to change my existing script to $_GET before they will run. Any idea why the directive is being ignored? Rodney Courtis -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] register globals on
Hello again, Can I ask a general question? One of the website that we have built was constructed using register globals. Thanks to that we set the language for browsing the website by determining user's browser language and then also (I think) it is used to remember some other choices users make while on the website (especially the language for browsing). Anyway, our ISP asks us to stop using register globals. They are right. We should. However, the programmer we have been using to help us, insists that without register globals on, we will have to revert to using cookies. This - he claims - is not an option because if a user blocks cookies, site as such will become useless (many options on the website are a consequence of setting the language first). I thought I would ask your opinion before we make any decision. Is it really so that without register globals, such things as displaying information from databases based on the initial choice of languages is not an option? I am not a programmer so I just need general guidance. Thank you very much in advance! -- Zbigniew Szalbot -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] register globals on
Zbigniew Szalbot wrote: Hello again, Can I ask a general question? One of the website that we have built was constructed using register globals. Thanks to that we set the language for browsing the website by determining user's browser language and then also (I think) it is used to remember some other choices users make while on the website (especially the language for browsing). Anyway, our ISP asks us to stop using register globals. They are right. We should. However, the programmer we have been using to help us, insists that without register globals on, we will have to revert to using cookies. This - he claims - is not an option because if a user blocks cookies, site as such will become useless (many options on the website are a consequence of setting the language first). I thought I would ask your opinion before we make any decision. Is it really so that without register globals, such things as displaying information from databases based on the initial choice of languages is not an option? I am not a programmer so I just need general guidance. Complete rubbish. He's being lazy. -- Postgresql php tutorials http://www.designmagick.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] register globals on
Hello again, On Tue, 12 Sep 2006, Chris wrote: I thought I would ask your opinion before we make any decision. Is it really so that without register globals, such things as displaying information from databases based on the initial choice of languages is not an option? I am not a programmer so I just need general guidance. Complete rubbish. He's being lazy. Thanks a lot! Any hint what to use instead? I mean I will tell him to re-think things but with techi guys I would simply feel better saying we need to rework the website using...??? Thank you again! -- Zbigniew Szalbot -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] register globals on
On Tuesday 12 September 2006 01:16, Zbigniew Szalbot wrote: Hello again, Can I ask a general question? One of the website that we have built was constructed using register globals. Thanks to that we set the language for browsing the website by determining user's browser language and then also (I think) it is used to remember some other choices users make while on the website (especially the language for browsing). Anyway, our ISP asks us to stop using register globals. They are right. We should. However, the programmer we have been using to help us, insists that without register globals on, we will have to revert to using cookies. This - he claims - is not an option because if a user blocks cookies, site as such will become useless (many options on the website are a consequence of setting the language first). I thought I would ask your opinion before we make any decision. Is it really so that without register globals, such things as displaying information from databases based on the initial choice of languages is not an option? I am not a programmer so I just need general guidance. Thank you very much in advance! Your programmer is (a) lying (b) completely and totally clueless (c) both. (Choose one.) In any vaguely recent version of PHP, you get five super-global array variables: $_GET - any parameters passed in the GET string. $_POST - any parameters passed in the body of a POST query. $_REQUEST - The two above merged. I forget which takes precedence. $_COOKIE - Any values sent by the browser as a cookie. $_SESSION - Any values that you have saved to the session array, which is (usually) persisted on the client's browser as a session cookie. All register globals does is take the contents of those arrays and dump them into the global namespace. (Again, I forget off hand what the precedence is.) You can very easily simulate register globals (which you should never do) with: for ($_REQUEST as $key = $value) $GLOBALS[$$key] = $value; for ($_COOKIE as $key = $value) $GLOBALS[$$key] = $value; Disabling register globals does not in any way keep you from using cookies. Of course, 90% of the time if you're using cookies, you REALLY mean to be using a session instead. Remembering a user's setting, such as what language they want, is a text-book example of where you want to be using sessions. Register globals is not required for that in any way shape or form. It may well be the case that refactoring your code to not depend on register globals will be difficult, time consuming, or annoying. That's quite possible. But that has nothing to do with cookies. Nor is there any way for you to persist data between page loads using register globals in the first place. Your programmer is full of it. As for a user disabling cookies, my honest opinion is that it's fucking 2006, if someone is so paranoid that they're blocking on-site session cookies then they shouldn't be allowed to use a web browser in the first place. :-) -- Larry Garfield AIM: LOLG42 [EMAIL PROTECTED] ICQ: 6817012 If nature has made any one thing less susceptible than all others of exclusive property, it is the action of the thinking power called an idea, which an individual may exclusively possess as long as he keeps it to himself; but the moment it is divulged, it forces itself into the possession of every one, and the receiver cannot dispossess himself of it. -- Thomas Jefferson -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] register globals on
Zbigniew Szalbot wrote:
Hello again,
On Tue, 12 Sep 2006, Chris wrote:
I thought I would ask your opinion before we make any decision. Is it
really so that without register globals, such things as displaying
information from databases based on the initial choice of languages is not
an option? I am not a programmer so I just need general guidance.
Complete rubbish. He's being lazy.
Thanks a lot! Any hint what to use instead? I mean I will tell him to
re-think things but with techi guys I would simply feel better saying we
need to rework the website using...???
No real hint about what to use instead, we don't know the code.
At a guess he's doing something like:
?php
$lang_file = $lang . '.php';
include($lang_file);
What he should be doing:
?php
$default_language = 'en';
$valid_languages = array('en', 'fr');
if (isset($_GET['lang'])) {
$lang_chosen = $_GET['lang'];
} else {
$lang_chosen = $default_language;
}
if (!in_array($lang_chosen, $valid_languages)) {
$lang_chosen = $default_language;
}
include($lang_chosen . '.php');
What that does is checks to see if there is a 'lang=' in the url.
If there is, it makes sure it's valid (in this case either 'en' or 'fr').
If it's not set or it's not valid, then it uses the default language ('en').
--
Postgresql php tutorials
http://www.designmagick.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] register globals on
there are many ways you can keep information.
now if you must really use global. you can still use global even if the
server is set to global off by using $_GLOBAL or using globals decleration.
example:
$test = 'i'm global';
function f1()
{
echo $_GLOBAL['test']; // should display i'm global
}
function f2()
{
global $test;
echo $test; // should display i'm global
}
now for your forms. i'm not sure is the above will work (to lazy to verify
:)) use the other predefined variables like $_POST, $_GET, $_REQUEST thats
where data from your forms are stored when the page is submited. and if you
want to keep your data when your user move from one page to the other, store
it in a session $_SESSION. remeber to always start session
session_start() on every page.
read more: http://php.net/reserved.variables
my advice, avoid using globals. It leads to lots of error that are hard to
debug and reproduce.
hth,
john
On 9/12/06, Zbigniew Szalbot [EMAIL PROTECTED] wrote:
Hello again,
On Tue, 12 Sep 2006, Chris wrote:
I thought I would ask your opinion before we make any decision. Is it
really so that without register globals, such things as displaying
information from databases based on the initial choice of languages is
not
an option? I am not a programmer so I just need general guidance.
Complete rubbish. He's being lazy.
Thanks a lot! Any hint what to use instead? I mean I will tell him to
re-think things but with techi guys I would simply feel better saying we
need to rework the website using...???
Thank you again!
--
Zbigniew Szalbot
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
GMail Rocks!!!
Re: [PHP] register globals on
correction: $GLOBALS not $_GLOBAL
:)
cheers
On 9/12/06, J R [EMAIL PROTECTED] wrote:
there are many ways you can keep information.
now if you must really use global. you can still use global even if the
server is set to global off by using $_GLOBAL or using globals decleration.
example:
$test = 'i'm global';
function f1()
{
echo $_GLOBAL['test']; // should display i'm global
}
function f2()
{
global $test;
echo $test; // should display i'm global
}
now for your forms. i'm not sure is the above will work (to lazy to verify
:)) use the other predefined variables like $_POST, $_GET, $_REQUEST thats
where data from your forms are stored when the page is submited. and if you
want to keep your data when your user move from one page to the other, store
it in a session $_SESSION. remeber to always start session
session_start() on every page.
read more: http://php.net/reserved.variables
my advice, avoid using globals. It leads to lots of error that are hard to
debug and reproduce.
hth,
john
On 9/12/06, Zbigniew Szalbot [EMAIL PROTECTED] wrote:
Hello again,
On Tue, 12 Sep 2006, Chris wrote:
I thought I would ask your opinion before we make any decision. Is
it
really so that without register globals, such things as displaying
information from databases based on the initial choice of languages
is not
an option? I am not a programmer so I just need general guidance.
Complete rubbish. He's being lazy.
Thanks a lot! Any hint what to use instead? I mean I will tell him to
re-think things but with techi guys I would simply feel better saying we
need to rework the website using...???
Thank you again!
--
Zbigniew Szalbot
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
GMail Rocks!!!
--
GMail Rocks!!!
RE: [PHP] register globals on
On 12 September 2006 08:18, Larry Garfield wrote: [...] In any vaguely recent version of PHP, you get five super-global array variables: $_GET - any parameters passed in the GET string. $_POST - any parameters passed in the body of a POST query. $_REQUEST - The two above merged. I forget which takes precedence. $_COOKIE - Any values sent by the browser as a cookie. Correction: $_GET - any parameters passed in the GET string. $_POST - any parameters passed in the body of a POST query. $_COOKIE - Any values sent by the browser as a cookie. $_REQUEST - The *three* above merged. I'm not sure whether $_REQUEST is affected by the variables_order configuration setting, but this could potentially affect both presence and precedence of the GPC variables in $_REQUEST. Cheers! Mike - Mike Ford, Electronic Information Services Adviser, Learning Support Services, Learning Information Services, JG125, James Graham Building, Leeds Metropolitan University, Headingley Campus, LEEDS, LS6 3QS, United Kingdom Email: [EMAIL PROTECTED] Tel: +44 113 283 2600 extn 4730 Fax: +44 113 283 3211 To view the terms under which this email is distributed, please go to http://disclaimer.leedsmet.ac.uk/email.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] register globals on
At 12:55 PM +0100 9/12/06, Ford, Mike wrote: Correction: $_GET - any parameters passed in the GET string. $_POST - any parameters passed in the body of a POST query. $_COOKIE - Any values sent by the browser as a cookie. $_REQUEST - The *three* above merged. I'm not sure whether $_REQUEST is affected by the variables_order configuration setting, but this could potentially affect both presence and precedence of the GPC variables in $_REQUEST. Cheers! Mike As I remember it, there is a pecking order. The same whatever index in in all three GPC with different values will result in only one value provided by $_REQUEST(whatever). That's another reason why I avoid using $_REQUEST. tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Register Globals (more)
On Thu, November 3, 2005 10:00 pm, John Taylor-Johnston wrote:
Patience please :)
See my html below. Basically, if type=checkbox is checked, I'm trying
to build $to string in mail().
parse error, unexpected T_ENCAPSED_AND_WHITESPACE, expecting T_STRING
or T_VARIABLE or T_NUM_STRING line 4
How do I rebuild this peice of code to be register_globals=off
friendly?
Just when I thought I was getting good. This keeps up, I'm changing
back the php.ini myself.
Hang in there!
John
1for ($i = 1; $i = $_POST[NMax]; $i++)
2{
3 $CheckVariable = \{$_POST['Check$i']};
You don't want ' around Check$i because $ has no special meaning
inside of ''. Only \ and ' mean anything special to ''.
4eval(\$CheckVariable = \$CheckVariable\;);
Woof.
You could save a WHOLE bunch of trouble making a change (below) and
doing:
$names = $_POST['names'];
$emails = $_POST['emails'];
$checks = isset($_POST['checks']) ? $_POST['checks'] : array();
foreach($names as $i = $name){
$email = $emails[$i];
$check = isset($checks[$i]);
echo $name: $email ($check)br /\n;
}
Even so, you sure don't need eval() even if you want to keep
everything else the same:
$name = $_POST[name$i];
$email = $_POST[email$i];
//HTTP doesn't send anything for un-checked checkboxes.
$check = isset($_POST[check$i]);
5 $nameVariable = \{$_POST['name$i']};
6eval(\$nameVariable = \$nameVariable\;);
7 $emailVariable = \{$_POST['email$i']};
8eval(\$emailVariable = \$emailVariable\;);
9
10#echo ${Check$i};
11#echo $CheckVariable $emailVariable - $ibr;
12
13if ($CheckVariable)
14$to .= \$nameVariable\ .$emailVariable.,;
$to .= \$name\ $email,;
15
16}
17
18echo $to;
INPUT TYPE=checkbox NAME=Check1 VALUE=John CHECKEDJohn
Change this to:
NAME=check[1]
input type=hidden name=name1 value=John
NAME=name[1]
input type=hidden name=email1 value=[EMAIL PROTECTED]
NAME=email[1]
br
INPUT TYPE=checkbox NAME=Check2 VALUE=Alessandra
NAME=check[2]
CHECKEDAlessandra
input type=hidden name=name2 value=Alessandra
NAME=name[2]
input type=hidden name=email2 value=[EMAIL PROTECTED]
NAME=email[2]
br
...
...
input type=hidden name=NMax value=29
You may not even need this any more...
The arrays are going to be as big as they need to be, and no bigger.
Like a woman's skirt should be. :-)
--
Like Music?
http://l-i-e.com/artists.htm
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Register Globals
On Thu, November 3, 2005 8:17 pm, John Taylor-Johnston wrote: Ok, you are all used to working with register_gloabsl=off. mail($to, stripslashes($subject), wordwrap($message, 60), From: $from\r\n); I change this line to: mail($to, stripslashes($_POST[subject]), wordwrap($_POST[message], 60), From: $_POST[from]\r\n); From: $_POST[from]\r\n No quotes. No apostrophes. Nothin but index. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Register Globals
On 11/8/05 10:20 PM, Richard Lynch wrote:
I change this line to:
mail($to, stripslashes($_POST[subject]), wordwrap($_POST[message],
60), From: $_POST[from]\r\n);
From: $_POST[from]\r\n
No quotes.
No apostrophes.
Nothin but index.
You can also use curly braces:
From: {$_POST[from]}\r\n
--
Ben Ramsey
http://benramsey.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Register Globals (more)
John Taylor-Johnston wrote:
Patience please :)
See my html below. Basically, if type=checkbox is checked, I'm trying to
build $to string in mail().
parse error, unexpected T_ENCAPSED_AND_WHITESPACE, expecting T_STRING
or T_VARIABLE or T_NUM_STRING line 4
How do I rebuild this peice of code to be register_globals=off friendly?
Just when I thought I was getting good. This keeps up, I'm changing back
the php.ini myself.
John
stop using eval()! (you know the film SAW? well it's people
who use too much eval() that end up chained to the raditator)
also find out what the difference is betwewen using single
and double quotes.
also learn how/why to use isset(), and initializing your variables
before using them...
now look at this, I'm pretty sure ti will do what you want:
?
$to = '';
for ($i = 1; $i = $_POST[NMax]; $i++) {
$CheckVariable = isset($_POST[Check$i]) ? $_POST[Check$i]: false;
$nameVariable = isset($_POST[name$i]) ? $_POST[name$i] : '';
$emailVariable = isset($_POST[email$i]) ? $_POST[email$i]: '';
if ($CheckVariable) {
$to .= \$nameVariable\ .$emailVariable.,;
}
}
echo $to;
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Register Globals (more)
John Taylor-Johnston wrote:
Patience please :)
See my html below. Basically, if type=checkbox is checked, I'm trying to
build $to string in mail().
parse error, unexpected T_ENCAPSED_AND_WHITESPACE, expecting T_STRING
or T_VARIABLE or T_NUM_STRING line 4
How do I rebuild this peice of code to be register_globals=off friendly?
Just when I thought I was getting good. This keeps up, I'm changing back
the php.ini myself.
John
stop using eval()! (you know the film SAW? well it's people
who use too much eval() that end up chained to the raditator)
also find out what the difference is betwewen using single
and double quotes.
also learn how/why to use isset(), and initializing your variables
before using them...
now look at this, I'm pretty sure ti will do what you want:
?
$to = '';
for ($i = 1; $i = $_POST[NMax]; $i++) {
$CheckVariable = isset($_POST[Check$i]) ? $_POST[Check$i]: false;
$nameVariable = isset($_POST[name$i]) ? $_POST[name$i] : '';
$emailVariable = isset($_POST[email$i]) ? $_POST[email$i]: '';
if ($CheckVariable) {
$to .= \$nameVariable\ .$emailVariable.,;
}
}
echo $to;
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Register Globals
Ok, you are all used to working with register_gloabsl=off. mail($to, stripslashes($subject), wordwrap($message, 60), From: $from\r\n); I change this line to: mail($to, stripslashes($_POST[subject]), wordwrap($_POST[message], 60), From: $_POST[from]\r\n); and I get: Parse error: parse error, unexpected '\', expecting T_STRING or T_VARIABLE or T_NUM_STRING in /www-html/emailer/index.html on line 41 What is the problem? John -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Register Globals
mail($to, stripslashes($_POST[subject]), wordwrap($_POST
[message], 60), From: $_POST[from]\r\n);
and I get:
Parse error: parse error, unexpected '\', expecting T_STRING or
T_VARIABLE or T_NUM_STRING in /www-html/emailer/index.html on line 41
The use of $var['index'] or $var[index] ($_POST['from'], $_GET
[to], etc.) within double quotation marks is causing the problem.
To fix this, wrap the whole construct in curly braces:
mail($to, stripslashes($_POST[subject]), wordwrap($_POST
[message], 60), From: {$_POST[from]}\r\n);
You only have to do this within other quotation marks and only if the
array's index is a string.
Hope that helps,
Larry
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Register Globals
I'm guessing it's because of the double quotes within double quotes in the From part: mail($to, stripslashes($_POST[subject]), wordwrap($_POST[message], 60), From: $_POST[from]\r\n); Your $_POST[subject] is ok because that's all that's in that part of the parameter, but the part: From: $_POST[from]\r\n ..is going to cause problems because the from double quotes interfere with the outside double quotes. Try changing it to: From: $_POST['from']\r\n ..with single quotes on the 'from' or put the $_POST variable outside the quotes: From: . $_POST[from] . \r\n Hope that helps! -TG = = = Original message = = = Ok, you are all used to working with register_gloabsl=off. mail($to, stripslashes($subject), wordwrap($message, 60), From: $from\r\n); I change this line to: mail($to, stripslashes($_POST[subject]), wordwrap($_POST[message], 60), From: $_POST[from]\r\n); and I get: Parse error: parse error, unexpected '\', expecting T_STRING or T_VARIABLE or T_NUM_STRING in /www-html/emailer/index.html on line 41 What is the problem? John -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php ___ Sent by ePrompter, the premier email notification software. Free download at http://www.ePrompter.com. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Register Globals
Got it:
mail($to, $_POST[subject], wordwrap($_POST[message], 60), From:
{$_POST[from]}\r\n);
No more errors.
But nothing comes through from smtp. I checked to be sure with phpinfo.
All values exist.
This worked though:
mail([EMAIL PROTECTED],[EMAIL PROTECTED],
123, 456, From: [EMAIL PROTECTED]);
?
Larry E. Ullman wrote:
mail($to, stripslashes($_POST[subject]), wordwrap($_POST
[message], 60), From: $_POST[from]\r\n);
and I get:
Parse error: parse error, unexpected '\', expecting T_STRING or
T_VARIABLE or T_NUM_STRING in /www-html/emailer/index.html on line 41
The use of $var['index'] or $var[index] ($_POST['from'], $_GET
[to], etc.) within double quotation marks is causing the problem.
To fix this, wrap the whole construct in curly braces:
mail($to, stripslashes($_POST[subject]), wordwrap($_POST
[message], 60), From: {$_POST[from]}\r\n);
You only have to do this within other quotation marks and only if the
array's index is a string.
Hope that helps,
Larry
--
John Taylor-Johnston
-
If it's not Open Source, it's Murphy's Law.
' ' 'Collège de Sherbrooke:
ô¿ôhttp://www.collegesherbrooke.qc.ca/languesmodernes/
- 819-569-2064
°v° Bibliography of Comparative Studies in Canadian, Québec and Foreign
Literatures
/(_)\ Université de Sherbrooke
^ ^ http://compcanlit.ca/ T: 819.569.2064
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Register Globals (more)
Patience please :)
See my html below. Basically, if type=checkbox is checked, I'm trying to build
$to string in mail().
parse error, unexpected T_ENCAPSED_AND_WHITESPACE, expecting T_STRING or
T_VARIABLE or T_NUM_STRING line 4
How do I rebuild this peice of code to be register_globals=off friendly?
Just when I thought I was getting good. This keeps up, I'm changing back the
php.ini myself.
John
1for ($i = 1; $i = $_POST[NMax]; $i++)
2{
3 $CheckVariable = \{$_POST['Check$i']};
4 eval(\$CheckVariable = \$CheckVariable\;);
5 $nameVariable = \{$_POST['name$i']};
6 eval(\$nameVariable = \$nameVariable\;);
7 $emailVariable = \{$_POST['email$i']};
8 eval(\$emailVariable = \$emailVariable\;);
9
10#echo ${Check$i};
11#echo $CheckVariable $emailVariable - $ibr;
12
13if ($CheckVariable)
14$to .= \$nameVariable\ .$emailVariable.,;
15
16}
17
18echo $to;
INPUT TYPE=checkbox NAME=Check1 VALUE=John CHECKEDJohn
input type=hidden name=name1 value=John
input type=hidden name=email1 value=[EMAIL PROTECTED]
br
INPUT TYPE=checkbox NAME=Check2 VALUE=Alessandra CHECKEDAlessandra
input type=hidden name=name2 value=Alessandra
input type=hidden name=email2 value=[EMAIL PROTECTED]
br
...
input type=hidden name=NMax value=29
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Register globals and ini_set
If i use, at the beginning of my scripts,
ini_set('register_globals', 0), register globals will be
turned off?
if you have php = 4.2.3 yes, otherwise no.
it has to be set in php.ini, .htaccess, or httpd.conf
You may NEVER set register_globals at runtime with
ini_set() regardless of PHP version.
Regards,
Philip
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Register globals and ini_set
On Fri, July 8, 2005 7:50 am, Terry Romine said: You *ARE* doing session_start at the top of each page, right?... Ya gotta do that. I was setting the $_SESSION by: $_SESSION['var_name'] = this; or $my_local = this; $_SESSION['var_name'] = $my_local; There *WAS* a bug in PHP [mumble] (4.1.10???) where the $_SESSION data was leaking out to PHP as a string reference (never mind PHP has no such data type). You could detect it by dumping out $_SESSION and you would see an in front of all the strings. So if you later did: $var_name = ''; Then your $_SESSION['var_name'] was *ALSO* getting set to '' I had stopped using session_register() some time back. Sporatically meaning that some of my variables are working fine, while others seem to become empty when referenced by a later script. These scripts were working fine on the older PHP version. I'm sure it's just a quick determination as to what to change, and then I can do a global update across the site. There are about 20-30 websites that this affects, so you can see my frustration in trying to do this by bits and pieces. I had done a test file like this: test1.php: ?php $_SESSION['check'] = test 1; echo($_SESSION['check']); ? a href='test2.php'Click/a and test2.php: ?php echo($_SESSION['check']); ? test1.php displays test1 but test2.php displays nothing. Looks to me more like the more mundane: You didn't do session_start() at the beginning of both scripts. Go to Jail. Do not collect $400. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Register globals and ini_set
Hi,
If i use, at the beginning of my scripts, ini_set('register_globals', 0),
register globals will be turned off?
Thanks
Re: [PHP] Register globals and ini_set
if you have php = 4.2.3 yes, otherwise no.
it has to be set in php.ini, .htaccess, or httpd.conf
[EMAIL PROTECTED] wrote:
Hi,
If i use, at the beginning of my scripts, ini_set('register_globals', 0),
register globals will be turned off?
Thanks
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Register globals and ini_set
I'm having a serious pain with globals.. maybe someone can help.
My major client moved her service from one server to another, and with it, PHP
went from 4.1 to 4.2+.
Register Globals was turned off, and when everything failed to work, tech
support turned them back on via .htaccess. I'm planning to update the hundreds
of scripts over the next weekend or so, but for right now,
my $_SESSION['variable'] seem to be failing sporatically. It doesn't seem to
make a difference whether I have session_start() at the top of the file or not.
Shouldn't something like this work?
?php
session_start();
$my_local=$_SESSION['global_var'];
echo($my_local);
?
where $global_var is set in one file and then used in another?
Thanks for any help
Terry
-Original Message-
From: Sebastian [EMAIL PROTECTED]
Sent: Jul 8, 2005 6:42 AM
To: [EMAIL PROTECTED]
Cc: php-general@lists.php.net
Subject: Re: [PHP] Register globals and ini_set
if you have php = 4.2.3 yes, otherwise no.
it has to be set in php.ini, .htaccess, or httpd.conf
[EMAIL PROTECTED] wrote:
Hi,
If i use, at the beginning of my scripts, ini_set('register_globals', 0),
register globals will be turned off?
Thanks
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Register globals and ini_set
Since you mention the PHP version was old (4.1) then I have to ask: were you using the $_SESSION array all along or were you using session_register to register session variables? Although you probably aren't since that would be rather easy to debug. The script in which your global_variable was set makes absolutely no difference. PHP is just looking for the SID someplace anyways (whether that's COOKIE, GET or POST) and then it goes and retrieves that session that matches that SID. OK... when you say that it fails sporadically, what do you mean exactly? Probably, based on what you've just said, you're somehow assigning into your $_SESSION variables through the use of global variables that have the same name as your $_SESSION indexes. http://php.net/manual/en/ref.session.php#ini.session.bug-compat-42 -- NEW? | http://www.catb.org/~esr/faqs/smart-questions.html STFA | http://marc.theaimsgroup.com/?l=php-generalw=2 STFM | http://php.net/manual/en/index.php STFW | http://www.google.com/search?q=php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Register globals and ini_set
I was setting the $_SESSION by: $_SESSION['var_name'] = this; or $my_local = this; $_SESSION['var_name'] = $my_local; I had stopped using session_register() some time back. Sporatically meaning that some of my variables are working fine, while others seem to become empty when referenced by a later script. These scripts were working fine on the older PHP version. I'm sure it's just a quick determination as to what to change, and then I can do a global update across the site. There are about 20-30 websites that this affects, so you can see my frustration in trying to do this by bits and pieces. I had done a test file like this: test1.php: ?php $_SESSION['check'] = test 1; echo($_SESSION['check']); ? a href='test2.php'Click/a and test2.php: ?php echo($_SESSION['check']); ? test1.php displays test1 but test2.php displays nothing. Terry -Original Message- From: Jason Barnett [EMAIL PROTECTED] Sent: Jul 8, 2005 9:15 AM To: php-general@lists.php.net Subject: Re: [PHP] Register globals and ini_set Since you mention the PHP version was old (4.1) then I have to ask: were you using the $_SESSION array all along or were you using session_register to register session variables? Although you probably aren't since that would be rather easy to debug. The script in which your global_variable was set makes absolutely no difference. PHP is just looking for the SID someplace anyways (whether that's COOKIE, GET or POST) and then it goes and retrieves that session that matches that SID. OK... when you say that it fails sporadically, what do you mean exactly? Probably, based on what you've just said, you're somehow assigning into your $_SESSION variables through the use of global variables that have the same name as your $_SESSION indexes. http://php.net/manual/en/ref.session.php#ini.session.bug-compat-42 -- NEW? | http://www.catb.org/~esr/faqs/smart-questions.html STFA | http://marc.theaimsgroup.com/?l=php-generalw=2 STFM | http://php.net/manual/en/index.php STFW | http://www.google.com/search?q=php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Register Globals=ON
Which process is better to use in PHP?
Having register_globals=on and referring to variables as if($name){} or
using $_GET $_POST statements like if(isset($_GET['name']))?
What is the main advantage/disadvantage in both cases.
Thanks
HarryG
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Register Globals=ON
On Mon, 3 Jan 2005 22:21:48 +1100, HarryG [EMAIL PROTECTED] wrote:
Which process is better to use in PHP?
Having register_globals=on and referring to variables as if($name){} or
using $_GET $_POST statements like if(isset($_GET['name']))?
What is the main advantage/disadvantage in both cases.
It's all right there in the fine manual:
http://us2.php.net/register_globals
--
Greg Donald
Zend Certified Engineer
http://destiney.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Register Globals=ON
HarryG wrote:
Having register_globals=on and referring to variables as if($name){} or
using $_GET $_POST statements like if(isset($_GET['name']))?
What is the main advantage/disadvantage in both cases.
Doesn't matter if it's on or off, really.
1) Don't trust any input from the user
2) Always initialize any variables you use
Follow those two rules and you can program secure programs that will not
depend upon register globals.
--
---John Holmes...
Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/
php|architect: The Magazine for PHP Professionals www.phparch.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Register Globals=ON
HarryG wrote:
Which process is better to use in PHP?
Having register_globals=on and referring to variables as if($name){} or
using $_GET $_POST statements like if(isset($_GET['name']))?
What is the main advantage/disadvantage in both cases.
The only advantage in register_globals = ON is a slight convenience factor
in using: $foo instead of $_GET['foo'].
The disadvantages include:
#1: Major security issue. This is documented with a clear-cut example at:
http://us3.php.net/register_globals
Read this page, and re-read this page, and keep asking questions until you
COMPLETELY understand the issue.
#1a: It's possible that you're a PERFECT programmer and would never write
code like this... But then you go installing that PHP forum, or database
abstraction class, or enhanced (cough, cough) email sending class or ...
and you have to rely on the OTHER guy being a perfect programmer... Not
gonna happen, my friend. Turn register_globals OFF
#2: Your code should be self-documenting in terms of WHERE the variables
come from. $foo tells me nothing about where it came from. $_GET['foo']
tells me it came from the URL after the ? with a ?foo=xxx. $_POST['foo']
tells me it came from a form with some kind of INPUT tag with NAME=foo
(or possibly NAME=foo[] or even NAME=foo[index] . You can even use
$_REQUEST['foo'] to indicate that your script happily accepts either POST
or GET data.
#3: I've never seen it measured, but I suppose there is some
infinitesimally small performance advantage to register_globals = OFF,
since then PHP doesn't have to loop through and set all the values...
This is a non-issue unless you are passing a *TON* of variables through
HTTP, which is probably a Bad Idea (tm) in the first place.
--
Like Music?
http://l-i-e.com/artists.htm
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Register Globals
* Thus wrote Matthew Sims:
I just signed up with a new hosting site. So first thing I did was check
what phpinfo() had to say.
I see that register_globals is turned on. Now I always use the $_GET and
$_POST vars but will this still affect me?
As long as you dont use third party software you will be perfectly
fine. As Mr. Holmes pointed out, its all depends on how the code
was written, having register gobals off makes it more obvious of the
insesurity:
globals == on:
/script.php?loggedin=1
?php
/* a major mistake when one uses
* session_register('loggedin');
* which forces any variable that is defined in
* global scope aka, _GET, _POST, SESSION...
*/
if ($loggedin) {
echo Display confidential information;
}
?
globals == off; secured
?php
/* know exactly where the loggedin variable comes from */
$loggedin = $_SESSION['loggedin'];
if ($loggedin) {
echo Display confidential information;
}
The major differnce between the two is that in the first example
the variable is never officially defined within the php code, and
where it actually is being set is rather undpredictable.
With the latter example, you are ensuring that the variable
$loggedin is from the session variable. But then now the quesion
arises, was that session variable set properly...
So in summary, register_globals=off ensures the script how the
variables are being accessed, but it doesn't mean they were set
properly in the first place.
HTH,
Curt
--
Quoth the Raven, Nevermore.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Register Globals
I just signed up with a new hosting site. So first thing I did was check what phpinfo() had to say. I see that register_globals is turned on. Now I always use the $_GET and $_POST vars but will this still affect me? -- --Matthew Sims --http://killermookie.org -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Register Globals
[snip] I just signed up with a new hosting site. So first thing I did was check what phpinfo() had to say. I see that register_globals is turned on. Now I always use the $_GET and $_POST vars but will this still affect me? [/snip] Nope, you can keep using, and should keep using, the $_GET and $_POST arrays. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Register Globals
[snip] I just signed up with a new hosting site. So first thing I did was check what phpinfo() had to say. I see that register_globals is turned on. Now I always use the $_GET and $_POST vars but will this still affect me? [/snip] Nope, you can keep using, and should keep using, the $_GET and $_POST arrays. And this won't pose as a security risk to me? Just for kicks I tried using the .htaccess to turn it off locally but the hosting site doesn't have the AllowOverride option set for me. -- --Matthew Sims --http://killermookie.org -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Register Globals
On Monday 25 October 2004 02:50 pm, Matthew Sims wrote: [snip] I see that register_globals is turned on. Now I always use the $_GET and $_POST vars but will this still affect me? [snip] Matthew, Although it shouldn't affect you, I had a terrible time trying to get anything to pass via sessions with register_globals=on with a site I had rebuilt. All sorts of strange behavior -- if you look back in the archives you see what I mean. Once register_globals was switched to 'off' everything worked as expected. Sorry to throw a wrench into the works! Hth, Andre -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Register Globals
Jay Blanchard wrote: [snip] I just signed up with a new hosting site. So first thing I did was check what phpinfo() had to say. I see that register_globals is turned on. Now I always use the $_GET and $_POST vars but will this still affect me? [/snip] Nope, you can keep using, and should keep using, the $_GET and $_POST arrays. You may be able to turn off register_globals for your site using an .htaccess file, also. -- ---John Holmes... Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/ php|architect: The Magazine for PHP Professionals www.phparch.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Register Globals
And this won't pose as a security risk to me?
It will. You could emulate namespaces in php. Do something like this:
function init_namespace()
{
// all your script code goes here
}
init_namespace(); // notice the call
This way any globally registered post/get/cookie etc variables wont be
accessible by your code without extra global keywords.
Or go another way to write your code register_globals independant.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Register Globals
Simas Toleikis wrote: And this [register globals] won't pose as a security risk to me? It will. No, it won't. register_globals is not a security risk. Poorly written code that does not adequately initialize variables or account for variables from outside sources can present security risks. You can write secure code with register globals ON and OFF. -- ---John Holmes... Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/ php|architect: The Magazine for PHP Professionals www.phparch.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Register Globals
On Mon, 25 Oct 2004 11:50:39 -0700 (PDT), Matthew Sims [EMAIL PROTECTED] wrote: I see that register_globals is turned on. Now I always use the $_GET and $_POST vars but will this still affect me? .htaccess php_flag register_globals off -- Greg Donald Zend Certified Engineer http://gdconsultants.com/ http://destiney.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] register globals changed to off, script breaks
I had a couple pages that had used a few 'a href' links to create a URL like this: http://mydomain.com/profile.php?cid=6 When you clicked the link, it went to the profile.php page, which had the following code snippet: foreach($_GET as $varname = $value) $formVars[$varname] = trim($value); This worked great when the server had 'register globals' set to on. However, desiring to tighten up the security of the server a bit, I turned register globals to off. Now the above code snippet doesn't work. I've done quite a bit of searching and reading and haven't yet come up with a similar substitute (and I'm still learning PHP) for creating the variable array from the GET. What does work is: $cid = $_GET($varname); But that is only for when a single variable is passed, not when a bunch of them get passed and need to be put into an array. Would appreciate any tips. Thanks Kevin -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] register globals changed to off, script breaks
On Thu, 30 Sep 2004 14:33:30 -0400, Kevin Coyner [EMAIL PROTECTED] wrote: What does work is: $cid = $_GET($varname); But that is only for when a single variable is passed, not when a bunch of them get passed and need to be put into an array. $_GET is already an array, why reassign to another array at all? Unless you need to mangle the values, I'd just use the $_GET array as it is. Meanwhile, you might want to look at print_r($_GET) to see if it actually contains what you think it's supposed to. -- Greg Donald Zend Certified Engineer http://gdconsultants.com/ http://destiney.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Register globals off, still not secure?
Hi, Even with register globals off isn't it possible to have a webpage like this: html head /head h2Hello, ?php echo $_SERVER['PHP_AUTH_USER']; ? pI know your password is ?php echo $_SERVER['PHP_AUTH_PW']; ? body /body html Is there a way to make sure apache doesn't set the $SERVER['PHP_AUTH_PW '] global? Thanks. -- /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\ Patrick Hutchinson [EMAIL PROTECTED] Engineering Web Systems Administrator 408.527.0305 direct Cisco Systems, Inc. 408.527.2313 fax -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Register globals off, still not secure?
Friday, April 30, 2004, 5:37:15 PM, thus was written: Hi, Even with register globals off isn't it possible to have a webpage like this: Not sure what you are asking. You can have a webpage like this. And I guess it even does what it should - print the information. html head /head h2Hello, ?php echo $_SERVER['PHP_AUTH_USER']; ? pI know your password is ?php echo $_SERVER['PHP_AUTH_PW']; ? body /body html Is there a way to make sure apache doesn't set the $SERVER['PHP_AUTH_PW '] global? No, there is no way. The docs state that those Superglobals are always set. But I wouldn't necessarily say that this is insecure: A user does not have access to those superglobals, except he managed to sneak in some code onto your server - but then you'd have a problem somewhere else. register_globals was intended as a shortcut for lazy programming (my biased opinion only!) to automagically have $PHP_AUTH_PW, etc available. That way some user would have been able to set this variable easily, e.g. with a GET request. No way to directly set a superglobal though by conventional means. Richard -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Register globals off, still not secure?
Thanks for the response. I basically have an environment analogous to an internal ISP. A lot of corporate users that have the ability to make web pages for the intranet etc. Basically management wants PHP turned off now because a rogue user could potentially gather and store people's passwords just by having a line like this in their web page. I'm looking for a way to not have $_SERVER pass the PHP_AUTH_PW portion at the very minimum, so I can justify to them to turn PHP back on. I was under the impression that if an external auth method was used that these weren't set, but I guess I was mistaken. Since PHP is being run as a module, Apache basic auth isn't really external. Thanks. -Patrick Richard Harb wrote: Friday, April 30, 2004, 5:37:15 PM, thus was written: Hi, Even with register globals off isn't it possible to have a webpage like this: Not sure what you are asking. You can have a webpage like this. And I guess it even does what it should - print the information. html head /head h2Hello, ?php echo $_SERVER['PHP_AUTH_USER']; ? pI know your password is ?php echo $_SERVER['PHP_AUTH_PW']; ? body /body html Is there a way to make sure apache doesn't set the $SERVER['PHP_AUTH_PW '] global? No, there is no way. The docs state that those Superglobals are always set. But I wouldn't necessarily say that this is insecure: A user does not have access to those superglobals, except he managed to sneak in some code onto your server - but then you'd have a problem somewhere else. register_globals was intended as a shortcut for lazy programming (my biased opinion only!) to automagically have $PHP_AUTH_PW, etc available. That way some user would have been able to set this variable easily, e.g. with a GET request. No way to directly set a superglobal though by conventional means. Richard -- /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\ Patrick Hutchinson [EMAIL PROTECTED] Engineering Web Systems Administrator 408.527.0305 direct Cisco Systems, Inc. 408.527.2313 fax -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Register globals off, still not secure?
Yes. My understanding turning globals off stops using $PHP_AUTH_PW directly. Hi, Even with register globals off isn't it possible to have a webpage like this: html head /head h2Hello, ?php echo $_SERVER['PHP_AUTH_USER']; ? pI know your password is ?php echo $_SERVER['PHP_AUTH_PW']; ? body /body html Is there a way to make sure apache doesn't set the $SERVER['PHP_AUTH_PW '] global? Thanks. -- /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\ Patrick Hutchinson [EMAIL PROTECTED] Engineering Web Systems Administrator 408.527.0305 direct Cisco Systems, Inc. 408.527.2313 fax -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Register globals off, still not secure?
Patrick Hutchinson wrote: Thanks for the response. I basically have an environment analogous to an internal ISP. A lot of corporate users that have the ability to make web pages for the intranet etc. Basically management wants PHP turned off now because a rogue user could potentially gather and store people's passwords just by having a line like this in their web page. I'm looking for a way to not have $_SERVER pass the PHP_AUTH_PW portion at the very minimum, so I can justify to them to turn PHP back on. I was under the impression that if an external auth method was used that these weren't set, but I guess I was mistaken. Since PHP is being run as a module, Apache basic auth isn't really external. Thanks. -Patrick Yikes, talk about throwing the baby out with the bathwater! You may want to look into the auto_prepend_file php.ini setting. If you really want to do it, you can set it up so that the auto-prepended file unsets those values from $_SERVER so that the scripts can't abuse them. auto_prepend_file = /var/www/killPasswords.php ?php unset($_SERVER['PHP_AUTH_PW']); ? Richard Harb wrote: Friday, April 30, 2004, 5:37:15 PM, thus was written: Hi, Even with register globals off isn't it possible to have a webpage like this: Not sure what you are asking. You can have a webpage like this. And I guess it even does what it should - print the information. html head /head h2Hello, ?php echo $_SERVER['PHP_AUTH_USER']; ? pI know your password is ?php echo $_SERVER['PHP_AUTH_PW']; ? body /body html Is there a way to make sure apache doesn't set the $SERVER['PHP_AUTH_PW '] global? No, there is no way. The docs state that those Superglobals are always set. But I wouldn't necessarily say that this is insecure: A user does not have access to those superglobals, except he managed to sneak in some code onto your server - but then you'd have a problem somewhere else. register_globals was intended as a shortcut for lazy programming (my biased opinion only!) to automagically have $PHP_AUTH_PW, etc available. That way some user would have been able to set this variable easily, e.g. with a GET request. No way to directly set a superglobal though by conventional means. Richard -- paperCrane Justin Patrin -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Register Globals is_upload_file
I'm converting old code to work with Register globals turned off in php.ini. With it on, is_upload_file($filename) works fine but when turned off doesn't work at all. What am I missing.. Help me please !! -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Register Globals is_upload_file
http://us3.php.net/features.file-upload --- bill [EMAIL PROTECTED] wrote: I'm converting old code to work with Register globals turned off in php.ini. With it on, is_upload_file($filename) works fine but when turned off doesn't work at all. What am I missing.. Help me please !! -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php __ Do you Yahoo!? Yahoo! SiteBuilder - Free web site building tool. Try it! http://webhosting.yahoo.com/ps/sb/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Register Globals is_upload_file
bill wrote: I'm converting old code to work with Register globals turned off in php.ini. With it on, is_upload_file($filename) works fine but when turned off doesn't work at all. What am I missing.. Help me please !! ...the Handling file uploads section of the manual. http://www.php.net/manual/en/features.file-upload.php And you more than likely need to give it the path to the upload directory, as well as the tmp filename. -- By-Tor.com It's all about the Rush http://www.by-tor.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Register Globals is_upload_file
You are working with Register globals turned off, so try is_upload_file($_FILES['tmp_name']['filename']) bill wrote: I'm converting old code to work with Register globals turned off in php.ini. With it on, is_upload_file($filename) works fine but when turned off doesn't work at all. What am I missing.. Help me please !! -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] register globals question
Hello, I am wondering if an application written to work with register globals set to off ($_GET[variable] etc.) would work with a system, where register globals is set to on? If not, is there a way to make it work for boty configurations? thanx for any help on that, Merlin -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Register Globals
I would like to rewrite my scripts to work when register globals is off. The problem is that my scripts encompass several thousand files. Does anyone have any suggestions for an effective tool to help in this process? Daryl Meese -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Register Globals
a good editor with a good find and replace tool... i know dreamweaver MX can do a find and replace for an entire site once you've defined it. - Original Message - From: Daryl Meese [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, July 21, 2003 1:17 PM Subject: [PHP] Register Globals I would like to rewrite my scripts to work when register globals is off. The problem is that my scripts encompass several thousand files. Does anyone have any suggestions for an effective tool to help in this process? Daryl Meese -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Register Globals
Hi,
include this code in your header file :
// _GET
if (isset($_GET))
while (list($key, $val) = each($_GET))
{
eval ($.$key. = '.$val.';);
}
// _POST
if (isset($_POST))
while (list($key, $val) = each($_POST))
{
eval ($.$key. = '.$val.';);
}
// _SESSION
if (isset($_SESSION))
while (list($key, $val) = each($_SESSION))
{
eval ($.$key. = '.$val.';);
}
It may works (I have not expirimence it)
Stf
-Message d'origine-
De : Daryl Meese [mailto:[EMAIL PROTECTED]
Envoyé : lundi 21 juillet 2003 14:18
À : [EMAIL PROTECTED]
Objet : [PHP] Register Globals
I would like to rewrite my scripts to work when register globals is off.
The problem is that my scripts encompass several thousand files. Does
anyone have any suggestions for an effective tool to help in this process?
Daryl Meese
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Register Globals
a simple extract($_POST) or extract($_GET) would also work
On Mon, 2003-07-21 at 14:22, stfmoreau wrote:
Hi,
include this code in your header file :
// _GET
if (isset($_GET))
while (list($key, $val) = each($_GET))
{
eval ($.$key. = '.$val.';);
}
// _POST
if (isset($_POST))
while (list($key, $val) = each($_POST))
{
eval ($.$key. = '.$val.';);
}
// _SESSION
if (isset($_SESSION))
while (list($key, $val) = each($_SESSION))
{
eval ($.$key. = '.$val.';);
}
It may works (I have not expirimence it)
Stf
-Message d'origine-
De : Daryl Meese [mailto:[EMAIL PROTECTED]
Envoy : lundi 21 juillet 2003 14:18
: [EMAIL PROTECTED]
Objet : [PHP] Register Globals
I would like to rewrite my scripts to work when register globals is off.
The problem is that my scripts encompass several thousand files. Does
anyone have any suggestions for an effective tool to help in this process?
Daryl Meese
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Register Globals
-Original Message-
From: stfmoreau [mailto:[EMAIL PROTECTED]
Sent: 21 July 2003 13:23
include this code in your header file :
// _GET
if (isset($_GET))
while (list($key, $val) = each($_GET))
{
eval ($.$key. = '.$val.';);
}
Whoa! Nasty and inefficient!!
I can understand if you decide initially to use a brute-force drop-in
replacement for register_globals, and leave modifying the rest of your code
until later, but really:
(i) Better:
// _GET
if (isset($_GET))
foreach ($_GET as $key=$val)
{
$$key = $val;
}
(ii) Even better:
// _GET
if (isset($_GET))
extract($_GET);
Cheers!
Mike
-
Mike Ford, Electronic Information Services Adviser,
Learning Support Services, Learning Information Services,
JG125, James Graham Building, Leeds Metropolitan University,
Beckett Park, LEEDS, LS6 3QS, United Kingdom
Email: [EMAIL PROTECTED]
Tel: +44 113 283 2600 extn 4730 Fax: +44 113 283 3211
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Register Globals
OK, sorry, I tried to help... and finaly I learn (I didn't know extract...)
-Message d'origine-
De : Ford, Mike [LSS] [mailto:[EMAIL PROTECTED]
Envoyé : lundi 21 juillet 2003 14:35
À : 'stfmoreau'; Daryl Meese; [EMAIL PROTECTED]
Objet : RE: [PHP] Register Globals
-Original Message-
From: stfmoreau [mailto:[EMAIL PROTECTED]
Sent: 21 July 2003 13:23
include this code in your header file :
// _GET
if (isset($_GET))
while (list($key, $val) = each($_GET))
{
eval ($.$key. = '.$val.';);
}
Whoa! Nasty and inefficient!!
I can understand if you decide initially to use a brute-force drop-in
replacement for register_globals, and leave modifying the rest of your code
until later, but really:
(i) Better:
// _GET
if (isset($_GET))
foreach ($_GET as $key=$val)
{
$$key = $val;
}
(ii) Even better:
// _GET
if (isset($_GET))
extract($_GET);
Cheers!
Mike
-
Mike Ford, Electronic Information Services Adviser,
Learning Support Services, Learning Information Services,
JG125, James Graham Building, Leeds Metropolitan University,
Beckett Park, LEEDS, LS6 3QS, United Kingdom
Email: [EMAIL PROTECTED]
Tel: +44 113 283 2600 extn 4730 Fax: +44 113 283 3211
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Register Globals
whoa, i didn't know that. i love this mailing list! :) Petre Agenbag wrote: a simple extract($_POST) or extract($_GET) would also work -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Register Globals
* Thus wrote stfmoreau ([EMAIL PROTECTED]):
Hi,
include this code in your header file :
// _GET
if (isset($_GET))
while (list($key, $val) = each($_GET))
{
eval ($.$key. = '.$val.';);
}
// _POST
if (isset($_POST))
while (list($key, $val) = each($_POST))
{
eval ($.$key. = '.$val.';);
}
// _SESSION
if (isset($_SESSION))
while (list($key, $val) = each($_SESSION))
{
eval ($.$key. = '.$val.';);
}
It may works (I have not expirimence it)
You can shorten it down a bit:
if (isset($_REQUEST) ) {
foreach($_REQUEST as $key = $val) {
$$key = $val;
}
}
I'm not sure if session is there but I know the $_REQUEST has all GET,
POST and COOKIE vars. Of course this isn't completely compatible with
how register_globals works. There is GPC ordering of where to get the
variables from.
$GPC = GPC
for($i = 0; i strlen($GPC); $i++) {
switch($GPC{$i}) {
case 'G': $VAR = '_GET'; break;
case 'P': $VAR = '_POST'; break;
case 'C': $VAR = '_COOKIES'; break;
}
if (isset($$VAR) ) {
foreach($$VAR as $key = $val) {
eval(global $$key); //make it global if this is in a function
$$key = $val; //set value
}
}
}
Curt
--
I used to think I was indecisive, but now I'm not so sure.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Register Globals
* Thus wrote stfmoreau ([EMAIL PROTECTED]): (ii) Even better: // _GET if (isset($_GET)) extract($_GET); Cool.. ya learn somthing every day... thanks.. Curt -- I used to think I was indecisive, but now I'm not so sure. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Register Globals
What is your aim?
a) to have the site *work* on a server with rg off, or;
b) to re-engineer your site to be safer and more secure, taking
advantage of the REASONS rg was turned off by default?
If it's a, then look at my example on weberdev, or just switch them
back on with something like a .htaccess file.
http://www.weberdev.com/get_example.php3?count=3639
If it's b, then I hope your code is well organised and documented,
because it's a lot of work... I've done it on a few of my sites, but
they were all 200 scripts.
1. you need to recognise which GET variables are being used in which
scripts, then perform a search replace. Eg replace all instances of
$page with $_GET['page'], then test test test to see if everything
still works.
2. do the same for POST variables (little easier, because you can view
the contents of your forms to get a list -- if you haven't got it all
documented somewhere).
3. review your session code (hopefully it's one include file, not 100's
of files), replacing your old style code:
?
$foo = 'bah';
session_register('foo');
// etc
?
with
?
$_SESSION['foo'] = 'bah';
// etc
?
Then find all occurrences of $foo and replace it with $_SESSION['foo'],
etc etc.
Test test test.
4. Review your cookies implementation (if any), and replace all your
$cookieVars with $_COOKIE['cookieVars'].
Test test test.
That's the four biggest areas to worry about. I ended up re-writing my
session code from scratch, and wasn't using cookies (other than session
ones), so it was a relatively pain-free job, especially with a good
search/replace text editor doing most o the work for me.
I can also recommend doing a back-up of the entire site first, and
turning off register globals before you start. So that you're testing
the 'broken' code from day 1.
Good luck!
Justin
On Monday, July 21, 2003, at 10:17 PM, Daryl Meese wrote:
I would like to rewrite my scripts to work when register globals is
off.
The problem is that my scripts encompass several thousand files. Does
anyone have any suggestions for an effective tool to help in this
process?
Daryl Meese
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
---
[This E-mail scanned for viruses]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] register globals :|
Is there any work-around to get a scipt that requires globals to be ON work when globals is OFF? Its a small script so it shouldn't be too hard... I just don't know what to look for or what has to be changed so it works again... (since i moved servers...) Thanks for any help. cheers, - Sebastian
Re: [PHP] register globals :|
Hmm .. might be easier to use an .htaccess. Is it possible to enable Register Global just for the script and not the site? I heard it's possible to enable it on just one directory (where the script resides). cheers, - Sebastian - Original Message - From: Leif K-Brooks [EMAIL PROTECTED] | http://www.php.net/manual/en/function.import-request-variables.php at | the top of the script, or use .htaccess to change RG to on. | | Sebastian wrote: | | Is there any work-around to get a scipt that requires globals to be ON work | when globals is OFF? | | Its a small script so it shouldn't be too hard... I just don't know what to | look for or what has to be changed so it works again... (since i moved | servers...) | | Thanks for any help. | | cheers, | - Sebastian | | | | | -- | The above message is encrypted with double rot13 encoding. Any unauthorized attempt to decrypt it will be prosecuted to the full extent of the law. | | | -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] register globals :|
- Original Message - From: Sebastian [EMAIL PROTECTED] To: php list [EMAIL PROTECTED] Sent: Wednesday, March 26, 2003 3:45 PM Subject: [PHP] register globals :| Is there any work-around to get a scipt that requires globals to be ON work when globals is OFF? Its a small script so it shouldn't be too hard... I just don't know what to look for or what has to be changed so it works again... (since i moved servers...) Thanks for any help. cheers, - Sebastian http://www.php.net/manual/en/security.registerglobals.php You'll find examples at the bottom of the page of some code that you can add to the script. Or if you know where the input for the script is coming from then you can use extract($_POST) or extract($_SERVER), or whatever, at the top of the script. HTH, Kevin -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] register globals :|
Only per-directory, by putting a .htaccess file in that directory which turns RG on. Sebastian wrote: Hmm .. might be easier to use an .htaccess. Is it possible to enable Register Global just for the script and not the site? I heard it's possible to enable it on just one directory (where the script resides). cheers, - Sebastian - Original Message - From: Leif K-Brooks [EMAIL PROTECTED] | http://www.php.net/manual/en/function.import-request-variables.php at | the top of the script, or use .htaccess to change RG to on. | | Sebastian wrote: | | Is there any work-around to get a scipt that requires globals to be ON work | when globals is OFF? | | Its a small script so it shouldn't be too hard... I just don't know what to | look for or what has to be changed so it works again... (since i moved | servers...) | | Thanks for any help. | | cheers, | - Sebastian | | | | | -- | The above message is encrypted with double rot13 encoding. Any unauthorized attempt to decrypt it will be prosecuted to the full extent of the law. | | | -- The above message is encrypted with double rot13 encoding. Any unauthorized attempt to decrypt it will be prosecuted to the full extent of the law. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Register globals on and off
Hello people, On my development machine (win XP/Apache 2.0.44/PHP 4.3.0/MySQL 3.23.55) i have several websites that i made some time ago that require register globals to be On in the php.ini. Ofcourse i know thats not a good idea at all for security, but rewriting all this code is not an option. However in my php.ini i have set register globals to Off because that better. Is it possible to configure my webserver/php so that only those sites that require register globals to be On have that setting, for instance in a .htacces file?? Any help is appreciated:-) Best regards, Davy Obdam mailto:[EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re:[PHP] Register globals on and off
Hi Davy, I found the following in the php manual: Please note that register_globals cannot be set at runtime (ini_set()). Although, you can use .htaccess if your host allows it as described above. An example .htaccess entry: php_flag register_globals on. on this page: http://www.php.net/manual/en/configuration.directives.php I've also used this format in apache conf files and, I believe, in .htaccess files: php_value include_path /web/lib/php:. Daniel At 7:52 AM +0100 on 1/30/03, Davy Obdam wrote: Hello people, On my development machine (win XP/Apache 2.0.44/PHP 4.3.0/MySQL 3.23.55) i have several websites that i made some time ago that require register globals to be On in the php.ini. Ofcourse i know thats not a good idea at all for security, but rewriting all this code is not an option. However in my php.ini i have set register globals to Off because that better. Is it possible to configure my webserver/php so that only those sites that require register globals to be On have that setting, for instance in a .htacces file?? Any help is appreciated:-) Best regards, Davy Obdam mailto:[EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- Daniel Leighton Chief Technology Officer Webolution http://www.webolution.com This email may contain material that is confidential and privileged for the sole use of the intended recipient. Any review, reliance or distribution by others or forwarding without express permission is strictly prohibited. If you are not the intended recipient, please contact the sender and delete all copies. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] register globals off ...problems
I have the following problem, help me please!!!.
php 4.2.2
register globals off
apache 1.3.27
windows 2000
internet explorer 6.0 SP1
I have two archives.
One that handles the code part, as validating form's inputs and inserting in
the data base, and other one is the fill-out form.
Inside of the form, includes an field in order to upload a image file .
The problem comes when I inputs (submit) image in said field, When uploading
it, the variables POST, GET, REQUEST does not identify to the mode
variable neither to the rests the form's fields.
But if not submit an image in that image field, it identifies all the form's
variables,.
The drive is the following.
mode take first the value of addresi, later changes to the value insert
when enters in the print_add_resi_form function inside of the sentence
switch.
The $ME variable take the value of http://localhost/../residente.php;
What can be happening ?
/***/
residente.php
?
include($_SERVER['DOCUMENT_ROOT']./aruni/config.php);
//require_login();
//require_priv(admin);
$DOC_TITLE = Lista de Residentes;
include(plantilla/encabezado.php);
echo $_REQUEST[mode].br;
echo $_GET[mode].br;
echo $_POST[mode].br;
echo $_FILES[mode].br;
echo br;
echo br;
foreach($_REQUEST as $key=$value){
echo $key.--.$value.br;
}
echo br;
echo br;
foreach($_POST as $key=$value){
echo $key.--.$value.br;
}
echo br;
echo br;
foreach($_GET as $key=$value){
echo $key.--.$value.br;
}
echo br;
echo br;
foreach($_FILES as $key=$value){
echo $key.--.$value.br;
}
echo br;
echo br;
//echo $_GET.br;
//echo $_POST.br;
//echo $_FILES.br;
//echo $_HTTP_POST_VARS[mode];
switch ($_REQUEST[mode]) {
case addresi :
print_add_resi_form(nvl($_REQUEST[category_id], 1));
break;
...
case insert :
insert_resi($_REQUEST[id], $_POST, $_FILES[frmmg]);
break;
...
default :
print_resi_list();
break;
}
function print_add_resi_form($idresi = 1) {
global $ME, $CFG;
...
$frm01[mode] = insert;
...
include(plantilla/form01.php);
}
function insert_resi($id, $form, $formimg){
global $ME, $CFG;
}
/***/
/*/
form01.php
form method=post enctype=multipart/form-data action=?=$ME?
input type=hidden name=id value=?=$id?
input type=hidden name=mode value=?=$frm01[mode]?
...
input type=file name=frmmg
...
/form
//
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Register Globals Off in .htacces
Hi to Everyone, I just want to know if there is a way that i can have register_globals On in my php.ini file but for some application i can turn that Off perhaps with a .htacces file. Thx for any help. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Register Globals Off in .htacces
Hi, I just want to know if there is a way that i can have register_globals On in my php.ini file but for some application i can turn that Off perhaps with a .htacces file. In your .htaccess: php_flag register_globals on or php_flag register_globals off Manual pages at http://www.php.net/manual/en/configuration.changes.php Cheers Jon -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Register Globals Off in .htacces
Thx for your reply It is working. I also found from php.net that it's possible to set register_globals to off on a site-by-site basis via Apache, thus overriding the global setting of register_globals in php.ini: In httpd.conf: VirtualHost 127.0.0.1 ServerName localhost DocumentRoot /var/www/html/mysite php_value register_globals 0 (or 1 for on) /VirtualHost That way, sites with old code can have register globals turned on, but for all new developments it will be disabled. Jon Haworth wrote: Hi, I just want to know if there is a way that i can have register_globals On in my php.ini file but for some application i can turn that Off perhaps with a .htacces file. In your .htaccess: php_flag register_globals on or php_flag register_globals off Manual pages at http://www.php.net/manual/en/configuration.changes.php Cheers Jon -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Register Globals Off in .htacces
Hi, Thx for your reply It is working. No probs, glad to help. I also found from php.net that it's possible to set register_globals to off on a site-by- site basis via Apache, thus overriding the global setting of register_globals in php.ini: VirtualHost 127.0.0.1 ServerName localhost DocumentRoot /var/www/html/mysite php_value register_globals 0 (or 1 for on) /VirtualHost Yup, or even in directories: Directory /var/www/html/mysite/foo php_value register_globals 0 /Directory Which might be handy if you're updating scripts on a live site. Cheers Jon -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Register Globals Off in .htacces
On Fri, 25 Oct 2002 13:16:27 +0300 Tjoumaidis [EMAIL PROTECTED] wrote: Hi to Everyone, I just want to know if there is a way that i can have register_globals On in my php.ini file but for some application i can turn that Off perhaps with a .htacces file. I prefer it Off in php.ini and On in the .htaccess file. php_flag register_globals On Yes, you can do it. Alister -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Register Globals Off in .htacces
it works only if i put it in my httpd.conf - yes allowoveride is set to all :/ i'm using apache 1.3.27 on win2k. Jon Haworth wrote: Hi, Thx for your reply It is working. No probs, glad to help. I also found from php.net that it's possible to set register_globals to off on a site-by- site basis via Apache, thus overriding the global setting of register_globals in php.ini: ServerName localhost DocumentRoot /var/www/html/mysite php_value register_globals 0 (or 1 for on) Yup, or even in directories: php_value register_globals 0 Which might be handy if you're updating scripts on a live site. Cheers Jon -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Register Globals Off in .htacces
Hi Frank, ServerName localhost DocumentRoot /var/www/html/mysite php_value register_globals 0 (or 1 for on) it works only if i put it in my httpd.conf - yes allowoveride is set to all :/ i'm using apache 1.3.27 on win2k. Well, you're doing *something* wrong, 'cos it works fine here :-) You have got an AccessFileName .htaccess directive, right? You might like to try asking in news:comp.infosystems.www.servers.ms-windows, or hanging around here until an Apache guru turns up... Cheers Jon -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Register Globals Off in .htacces
well, i found my mistake ;) on windows i forgot to change the name of the .htaccess-files because on win they couldnt have a extentsion without a name. So i've named them now only htaccess without the dot and it works fine Frank W. wrote: it works only if i put it in my httpd.conf - yes allowoveride is set to all :/ i'm using apache 1.3.27 on win2k. Jon Haworth wrote: Hi, Thx for your reply It is working. No probs, glad to help. I also found from php.net that it's possible to set register_globals to off on a site-by- site basis via Apache, thus overriding the global setting of register_globals in php.ini: ServerName localhost DocumentRoot /var/www/html/mysite php_value register_globals 0 (or 1 for on) Yup, or even in directories: php_value register_globals 0 Which might be handy if you're updating scripts on a live site. Cheers Jon -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Register Globals
Hi, I have just upgraded PHP to 4.2.3 and have found that register_globals defaults to 'off'. I have changed this setting in the php.ini file, yet phpinfo() still shows register_globals = 'off' and my scripts that rely on this setting are failing. The file I edited was /etc/httpd/php.ini, so why is register_globals still set to 'off'? TIA Phil Phil Ewington Technical Director 43 PLC 35 Broad Street, Wokingham Berkshire RG40 1AU Tel: +44 (0)118 978 9500 Fax: +44 (0)118 978 4994 http://www.43plc.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Register Globals
What is the name of the file that is registered in your phpinfo().. eg is that the path and name of the config?? Also have you restarted your webserver?? Phil Ewington wrote: Hi, I have just upgraded PHP to 4.2.3 and have found that register_globals defaults to 'off'. I have changed this setting in the php.ini file, yet phpinfo() still shows register_globals = 'off' and my scripts that rely on this setting are failing. The file I edited was /etc/httpd/php.ini, so why is register_globals still set to 'off'? TIA Phil Phil Ewington Technical Director 43 PLC 35 Broad Street, Wokingham Berkshire RG40 1AU Tel: +44 (0)118 978 9500 Fax: +44 (0)118 978 4994 http://www.43plc.com -- Timothy Hitchens Technologist / Entrepreneur e-mail: [EMAIL PROTECTED] mobile: 0419 521 440 - HiTCHO Group - ABN: 85 816 540 110 Web Site: http://www.hitcho.com.au/ Snail Mail: PO Box 101 Arana Hills QLD 4054 Telephone: 07 3351 0951 - Facsimile: 07 3351 0952 IMPORTANT: This email may be the view of the individual and not that of the organisation. The contents of this electronic mail (including attachments) may be privileged and commercially confidential. Any unauthorised use of the contents is expressly prohibited. If you have received this document in error, please advise us by telephone immediately and then delete the document. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] register globals on in stand alone php installation?
On Saturday 24 August 2002 16:52, Andy wrote: I do have a command line php version installed and I need to switch register globals to on for this install. Where do I find this php.ini regarding this installation. There is also a web-php installation running where I do have a php.ini for. I hope there is a way to seperate those two installations. When you configure/compile php you can specify where you want php to look for php.ini. -- Jason Wong - Gremlins Associates - www.gremlins.com.hk Open Source Software Systems Integrators * Web Design Hosting * Internet Intranet Applications Development * /* Nobody knows what goes between his cold toes and his warm ears. -- Roy Harper */ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Register globals off
I am learning PHP with version 4.2. (Win ME, Apache, MySQL) on a PC I have to understand the new register globals off methods and it seems like a good idea to learn that from the beginning but all the books and beginners guides gives examples the old way. Would it be true to say that every time an example is given where data is passed on (for forms and so forth) that I can simply replace the variable in the example with $_POST or $_GET? Or do I have to do more? eg if a simple PHP file for handling form input takes in the data using $LastName can I simply use $_POST[LastName]?? It seems to work for a very simple example. But should I read the array into a variable first? And do I need to do any validation or declaring of variables etc?? [I did have a problem reading in a number - the solution was to put (int) before the POST array name though I don't understand why that was not needed with a string. I am also unclear what happens when you send something using header() - does that also go into an array - if so which one and how do I use it? This may all seem unecessarily complicated but I am not yet au fait with the whole thing. Regards Adrian Greeman -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Register globals off
AG I have to understand the new register globals off methods and it seems AG like a good idea to learn that from the beginning but all the books and AG beginners guides gives examples the old way. give it 3 more weeks and 2nd edition of PHP Fast Easy will be out...all register_global updated and everything. :) but that's 3 whole weeks. AG eg if a simple PHP file for handling form input takes in the data using AG $LastName can I simply use $_POST[LastName]?? pretty much. If POST is the method. Substitute $_GET if GET is the method. Handling session variables is a little different than just using session_register() Also, when uploading files, the $_FILE assoc array behaves a wee bit differently. And there's always the use of $_SERVER[PHP_SELF] instead of just $PHP_SELF. It's all in the manual, but if you just start with understanding the $_POST and $_GET superglobals in relation to your forms, you've made a good first step. - Julie -- Julie Meloni -- [EMAIL PROTECTED] -- www.thickbook.com Find Sams Teach Yourself MySQL in 24 Hours at http://www.amazon.com/exec/obidos/ASIN/0672323494/thickbookcom-20 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Register globals off
On Monday, July 1, 2002, at 11:30 AM, Adrian Greeman wrote: Would it be true to say that every time an example is given where data is passed on (for forms and so forth) that I can simply replace the variable in the example with $_POST or $_GET? Or do I have to do more? Pretty much. If the data was passed by a get-method form, or through the querystring, then the variable should be in the _GET array (such as $_GET['variablename']). Likewise for post-method forms, and any cookie variable names are now $_COOKIE['variablename']. Server variables like $PHP_SELF are now $_SERVER['PHP_SELF'], and you can read the rest under predefined variables in the manual at the web site. eg if a simple PHP file for handling form input takes in the data using $LastName can I simply use $_POST[LastName]?? It seems to work for a very simple example. But should I read the array into a variable first? Only if you want to -- you can always just refer to it as $_GET['variablename']. In fact this is probably better for memory use. And do I need to do any validation or declaring of variables etc?? [I did have a problem reading in a number - the solution was to put (int) before the POST array name though I don't understand why that was not needed with a string. All POSTed or GETed data is string data, so if you for some reason explicitly need to cast the variable as an integer, then yes, you need to use (int). But in many cases PHP does this automatically. I am also unclear what happens when you send something using header() - does that also go into an array - if so which one and how do I use it? I'm assuming you mean sending some querystring data, like header(Location: http://domain.com/page.php?data=contents;); if so, then yes, you will end up with the string 'contents' in a variable called $_GET['data'] . Erik Erik Price Web Developer Temp Media Lab, H.H. Brown [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Register Globals = off
Hi Going through some literature, it seems like the use of registered globals can cause security issues. Now, the dilemma, all my previous PHP installations ( for the last year or so ) have come with register globals = on in the php.ini file by default, and users on my system has happily coded their websites using this function. Now , with all the new versions of PHP, the registered globals are turned off in the ini and will basically cause all those previous sites not to function. Which means that I'm between a rock and a hard place, turn the register globals back on and carry on with the security risks, or keep it off and have all those people re-code their sites... Is there a more gentle solution out there? Am I just misunderstanding the issue? Any light on the matter will be appreciated. Thanks -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Register Globals = off
On Sunday 30 June 2002 23:12, PHPCoder wrote: Hi Going through some literature, it seems like the use of registered globals can cause security issues. Now, the dilemma, all my previous PHP installations ( for the last year or so ) have come with register globals = on in the php.ini file by default, and users on my system has happily coded their websites using this function. Now , with all the new versions of PHP, the registered globals are turned off in the ini and will basically cause all those previous sites not to function. Which means that I'm between a rock and a hard place, turn the register globals back on and carry on with the security risks, or keep it off and have all those people re-code their sites... Is there a more gentle solution out there? Am I just misunderstanding the issue? Any light on the matter will be appreciated. I don't there are any gentle approaches to this. People will have to bite the bullet sooner or later. What may help slightly is the fact that you can have different settings for register_globals for each virtual host. Thus the global setting for register_globals, ie php.ini, can be off. Then for each of your users who have not yet recoded, enable register_globals in their virtual host setting. Thus the people who have bothered to recode will be able to benefit from a more secure application without being affected by the people who have not yet recoded. -- Jason Wong - Gremlins Associates - www.gremlins.com.hk Open Source Software Systems Integrators * Web Design Hosting * Internet Intranet Applications Development * /* Depart in pieces, i.e., split. */ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Register Globals = off
You could leave the setting to ON in your php.ini, and impose OFF on a per-directory (account, domain, etc) basis with a .htaccess file (or vice-versa), assuming you have Apache. This will mean all new clients will have the setting to OFF, and will do things the right way from day 1. It will also allow existing clients to modify their setting to OFF (as I do on a shared server) to keep things a little more secure. You could also advise all existing clients of a planned changeover in 12 months, offer code advise (including a simple function at the top of each script can push all $_GET['var'], POST, SESSION, etc vars into standard $vars), and document the many security holes and benefits of upgrading over time. In 12 months, you can changeover to OFF in the php.ini file. At which time coding practices, books, websites, applications and all the rest will be much more inline than they are now. Justin French on 01/07/02 1:12 AM, PHPCoder ([EMAIL PROTECTED]) wrote: Hi Going through some literature, it seems like the use of registered globals can cause security issues. Now, the dilemma, all my previous PHP installations ( for the last year or so ) have come with register globals = on in the php.ini file by default, and users on my system has happily coded their websites using this function. Now , with all the new versions of PHP, the registered globals are turned off in the ini and will basically cause all those previous sites not to function. Which means that I'm between a rock and a hard place, turn the register globals back on and carry on with the security risks, or keep it off and have all those people re-code their sites... Is there a more gentle solution out there? Am I just misunderstanding the issue? Any light on the matter will be appreciated. Thanks -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Register Globals - Article
Hi all, Since the hot topic of the last few weeks has definately been the new register_globals deal, I thought the following article will be of huge assistance to many. http://www.WebmasterBase.com/article.php?pid=0aid=758 It's short, to the point, explains why the old way is bad, explains why the new way is good, shows some simple examples, shows you how to get your old scripts up to date, etc etc. Justin French Creative Director http://Indent.com.au -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Register Globals workarounds
Hi all,
For those faced with the task of updating 100's or 1000's of pages that
assumed register_globals on, I've found a couple of solutions which can work
as a temporary solution whilst you re-engineer your pages (as I plan to do).
1. simple: ask your ISP to change php.ini :)
2. use a .htaccess file to change register_globals for your domain / dir, as
long as your Apache config file allows it.
http://www.php.net/manual/en/configuration.php
3. (untested) use ini_set() to turn them back on at a per-script or
per-config file level.
http://www.php.net/manual/en/function.ini-set.php
4. add this code to the top of your pages, or in a common library of code /
config file:
?
foreach($GLOBALS as $key = $value)
{ $$key=$value; }
?
If you have this url: page.php?foo=bah, with register_globals off, $foo will
not be available in your script automatically, as it was in older PHP
versions.
Using the above code, we scroll through the $GLOBALS array, and for each key
(eg foo) we assign a var of the same name (eg $foo) and assign it the
matching value (eg $foo = bah).
The ultimate (secure) solution would be to get your code up to scratch with
the new set-up (and I plan to do this, ASAP), but I myself do not have time
for this, given that I have to update MANY sites within a short time frame,
and my ISP is planning a merge to the new version very soon.
I think foreach() was only available in newer versions of PHP though sorry.
Hope this helps.
Justin French
Creative Director
http://Indent.com.au
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Register Globals workarounds
2. use a .htaccess file to change register_globals for your
domain / dir, as long as your Apache config file allows it.
http://www.php.net/manual/en/configuration.php
As Justin stated, doing this (use of .htaccess) is possible
if your host allows it. The following will work in
.htaccess:
php_flag register_globals on
3. (untested) use ini_set() to turn them back on at a
per-script or per-config file level.
http://www.php.net/manual/en/function.ini-set.php
This will not work as expected, $_GET['foo'] will not
be $foo with register_globals set via ini_set().
4. add this code to the top of your pages, or in a common
library of code / config file:
?
foreach($GLOBALS as $key = $value)
{ $$key=$value; }
?
This will not work, the whole point of register_globals is
to register variables into the global scope, which is what
$GLOBALS is. You're also trying to rewrite a ton of variables,
such as $_GET. Not a good idea. To see what I mean, try:
print_r($GLOBALS);
Also note that $GLOBALS lives within $GLOBALS. As do all
the PHP variables.
If you have this url: page.php?foo=bah, with register_globals off,
$foo will not be available in your script automatically, as it
was in older PHP versions.
Just to be clear to everyone, register_globals is a directive that
can be set in php.ini any time, in any version of PHP. Also read
about the mysterious variables_order directive.
Using the above code, we scroll through the $GLOBALS array, and for
each key (eg foo) we assign a var of the same name (eg $foo) and
assign it the matching value (eg $foo = bah).
As stated above, this will not work. register_globals = on will
add 'foo' to $GLOBALS.
I think foreach() was only available in newer versions of PHP
though sorry.
foreach has been around since PHP 4.0.0, see php.net/foreach
for PHP 3 alternatives.
Now, to hack them old scripts to work, consider using either
extract() and/or import_request_variables(). These will allow
you to easily mimik register_globals at runtime. I believe
the following is a pretty good hack to get the job done:
Goal: register a lot of variables into the global scope
order: gpcss (order of $types_to_register)
$types_to_register = array('GET','POST','COOKIE','SESSION','SERVER');
foreach ($types_to_register as $type) {
$arr = ${'HTTP_' . $type . '_VARS'};
if (count($arr) 0) {
extract($arr, EXTR_OVERWRITE);
}
}
Granted that it may not be identical to your register_globals,
it may or may not be what you want so adjust accordingly.
I've posted a few related replies to this topic, see:
Re: Using the new AUTOGLOBALS
http://marc.theaimsgroup.com/?l=php-generalm=101803683730027
Re: tutorial on global variables
http://marc.theaimsgroup.com/?l=php-generalm=102036870428992
Regards,
Philip Olson
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] --register-globals - dev question
Can someone on the dev team remind me at what version --register-globals became the default way PHP works? I looked in the config manual, but it looks like that config optoin has been completely removed from the list. I think now it is in the php.ini file. Is this correct? Thanks Jon -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Register globals when option is turned on
From: "Ignacio Vazquez-Abrams" [EMAIL PROTECTED] Sent: Wednesday, January 17, 2001 11:33 PM On Wed, 17 Jan 2001, Carsten Gehling wrote: Is there a way to programatically enable the register_globals option for a php-script? For certain reasons I have the register_globals option set to "Off". However, phpMyAdmin will not work unless it is set to "On" therefore, I thought of making a check in the "config.inc.php" if the option is set, and if not, set it. Is there a function that I can call? - Carsten Ugh. Don't do it that way. Instead use Directory, Location, or .htaccess to turn it on for phpMyAdmin. Hmmm... Can you exlpain it a bit more? Cause I frankly don't understand what mean ;-) BTW: You may want to know that I run Win2k and IIS 5.0, not Linux/Apache - Carsten -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP] Register globals when option is turned on
Is there a way to programatically enable the register_globals option for a php-script? For certain reasons I have the register_globals option set to "Off". However, phpMyAdmin will not work unless it is set to "On" therefore, I thought of making a check in the "config.inc.php" if the option is set, and if not, set it. Is there a function that I can call? - Carsten -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Register globals when option is turned on
On Wed, 17 Jan 2001, Carsten Gehling wrote: Is there a way to programatically enable the register_globals option for a php-script? For certain reasons I have the register_globals option set to "Off". However, phpMyAdmin will not work unless it is set to "On" therefore, I thought of making a check in the "config.inc.php" if the option is set, and if not, set it. Is there a function that I can call? - Carsten Ugh. Don't do it that way. Instead use Directory, Location, or .htaccess to turn it on for phpMyAdmin. -- Ignacio Vazquez-Abrams [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
