Re: [PHP] register_globals and sessions
On Wed, Nov 25, 2009 at 3:01 PM, Allen McCabe allenmcc...@gmail.com wrote: *Warning*: Unknown: Your script possibly relies on a session side-effect which existed until PHP 4.2.3. Please be advised that the session extension does not consider global variables as a source of data, unless register_globals is enabled. You can disable this functionality and this warning by setting session.bug_compat_42 or session.bug_compat_warn to off, respectively in *Unknown* on line *0* It sounds like you're trying to use $_SESSION without having a session_start() call first. I have Googled this extensively, and the solutions other people tried (turning off the warning) don't work for me; I don't have permission to my PHP settings (currently working on a free-hosted site). There are many settings that can be changed using the function ini_set (http://php.net/ini_set) and display_errors is one of them. That said, it is always best to fix stuff like this than just hiding it. When you just hide errors/warnings/notices things don't always work reliably. HTH, Brady -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] register_globals and sessions
LPAC - Arts for Youth - Seat OrdersI am getting the following error message, but ONLY on a page where I am querying multiple tables, and I don't see the correlation: * * *Warning*: Unknown: Your script possibly relies on a session side-effect which existed until PHP 4.2.3. Please be advised that the session extension does not consider global variables as a source of data, unless register_globals is enabled. You can disable this functionality and this warning by setting session.bug_compat_42 or session.bug_compat_warn to off, respectively in *Unknown* on line *0* I have Googled this extensively, and the solutions other people tried (turning off the warning) don't work for me; I don't have permission to my PHP settings (currently working on a free-hosted site). Does ANYONE know what might be causing this? On my login page, I use this code snippet to instantiate my SESSION variables for the session: // Register $myusername, $mypassword and redirect to default.php?page=211 $_SESSION['myusername'] = $myusername; $_SESSION['mypassword'] = $mypassword; Again, the error only comes up on the page where I am querying multiple. If you would like to take a look at this, follow this link and sign in as username: micky password: 123456 ( http://lpacmarketing.hostzi.com/afy/orders/) You will notice on other pages, that error doesn't display, just this one. Any help would be wonderful, I don't want my users to see this when the order system is opened for their use. Thanks!
Re: [PHP] register_globals and magic_quotes_gpc (again)
Are you running PHP as a Module or as CGI or FCGI? Look at phpinfo() output to be SURE. If it's not running as a Module, none of those directives are defined, because Apache (which implements .htaccess) has no friggin' idea what php_value or php_flag is without PHP Module there to tell it. On Wed, June 6, 2007 11:06 pm, Afan Pasalic wrote: hi, this question is already posted thousand times. but, after I tried for 2 hours to figure it out, I gave up and posted the question here. I'm rebuilding one site. php 4.4.4 as usual, register_globals on, as well as magic_quotes. I tried to turn it off using .htaccess but what ever I change in the (already existing) file, I would get 500 Internal Server Error this is content of the .htaccess file: # -FrontPage- IndexIgnore .htaccess */.??* *~ *# */HEADER* */README* */_vti* Limit GET POST order deny,allow deny from all allow from all /Limit Limit PUT DELETE order deny,allow deny from all /Limit AuthName mkl1332 AuthUserFile /u/web/afan/_vti_pvt/service.pwd AuthGroupFile /u/web/afan/_vti_pvt/service.grp and I tried to add php_flag register_globals Off and it doesn't work (500 internal server error) I tried with register_global 0 - same thing. could you please point me where to look after? thanks for any help. -afan -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- Some people have a gift link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] register_globals and magic_quotes_gpc (again)
On 6/7/07, Afan Pasalic [EMAIL PROTECTED] wrote: hi, this question is already posted thousand times. but, after I tried for 2 hours to figure it out, I gave up and posted the question here. I'm rebuilding one site. php 4.4.4 as usual, register_globals on, as well as magic_quotes. I tried to turn it off using .htaccess but what ever I change in the (already existing) file, I would get 500 Internal Server Error this is content of the .htaccess file: # -FrontPage- IndexIgnore .htaccess */.??* *~ *# */HEADER* */README* */_vti* Limit GET POST order deny,allow deny from all allow from all /Limit Limit PUT DELETE order deny,allow deny from all /Limit AuthName mkl1332 AuthUserFile /u/web/afan/_vti_pvt/service.pwd AuthGroupFile /u/web/afan/_vti_pvt/service.grp and I tried to add php_flag register_globals Off and it doesn't work (500 internal server error) I tried with register_global 0 - same thing. could you please point me where to look after? thanks for any help. -afan Are you sure the rest of your .htaccess file is correct? And what does your Apache error log show you? there should be an error... Tijnema -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] register_globals and magic_quotes_gpc (again)
Tijnema wrote: On 6/7/07, Afan Pasalic [EMAIL PROTECTED] wrote: hi, this question is already posted thousand times. but, after I tried for 2 hours to figure it out, I gave up and posted the question here. I'm rebuilding one site. php 4.4.4 as usual, register_globals on, as well as magic_quotes. I tried to turn it off using .htaccess but what ever I change in the (already existing) file, I would get 500 Internal Server Error this is content of the .htaccess file: # -FrontPage- IndexIgnore .htaccess */.??* *~ *# */HEADER* */README* */_vti* Limit GET POST order deny,allow deny from all allow from all /Limit Limit PUT DELETE order deny,allow deny from all /Limit AuthName mkl1332 AuthUserFile /u/web/afan/_vti_pvt/service.pwd AuthGroupFile /u/web/afan/_vti_pvt/service.grp and I tried to add php_flag register_globals Off and it doesn't work (500 internal server error) I tried with register_global 0 - same thing. could you please point me where to look after? thanks for any help. -afan Are you sure the rest of your .htaccess file is correct? And what does your Apache error log show you? there should be an error... Tijnema The .htaccess file is original, from hosting company, pre-installed. I can't access to apache error log. -afan -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] register_globals and magic_quotes_gpc (again)
hi, this question is already posted thousand times. but, after I tried for 2 hours to figure it out, I gave up and posted the question here. I'm rebuilding one site. php 4.4.4 as usual, register_globals on, as well as magic_quotes. I tried to turn it off using .htaccess but what ever I change in the (already existing) file, I would get 500 Internal Server Error this is content of the .htaccess file: # -FrontPage- IndexIgnore .htaccess */.??* *~ *# */HEADER* */README* */_vti* Limit GET POST order deny,allow deny from all allow from all /Limit Limit PUT DELETE order deny,allow deny from all /Limit AuthName mkl1332 AuthUserFile /u/web/afan/_vti_pvt/service.pwd AuthGroupFile /u/web/afan/_vti_pvt/service.grp and I tried to add php_flag register_globals Off and it doesn't work (500 internal server error) I tried with register_global 0 - same thing. could you please point me where to look after? thanks for any help. -afan -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] register_globals and passing variables
Ok, all I am new to PHP MySQL. (please don't let this scare you off)
I had my site hosted with Gisol.com and due to their very poor service and
tech support I left them for Lunarpages.com who so far have a better service
and their tech support is excellent!! But my pages won't pass variables any
more.
When I started I purchased two books MySQL and PHP MySQL both published by
O'Riely. So far the are excellent help and instructors. I wote some pages
where I track users and their characters from an on-line game called World
of Warcraft.
On the Gisol server they were working EXCELLENT!!
Once I moved to Lunarpages, the pages load ok but they don't pass the
variables from one page to another.
The below code queries the db and list's the user's in a table, and has a
hyperlink to the right of each, on Gisol I could click the link and it would
load the view_char.php page and it listed their character and the info i
needed, and gave options to delete and edit. Again it was working
beautifully.
VIEW USERS PAGE CODE:
$sql=SELECT f_name, l_name, char_id, char_name, char_level FROM t_char,
t_users where t_users.user_id = t_char.user_link ORDER BY char_name ASC;
mysql_select_db($db_select,$db);
$result = mysql_query($sql,$db);
echo TABLE border=2;
echoTRTDBCharacter Name/BTDBCharacter
Level/BTDBOwner/B/TR;
while ($myrow = mysql_fetch_array($result))
{
echo
TRTD.$myrow[char_name].TD.$myrow[char_level].TD.$myrow[f_name].
.$myrow[l_name];
echo TDA href=\view_char.php?charid=.$myrow[char_id].\View/A;
}
//$charid=[.$myrow[char_id].]; - I tried this line with no success.
Possibly have it in the wrong place??
echo/TABLE;
VIEW_CHAR PAGE CODE
$sql = SELECT * FROM `t_char` WHERE `t_char`.`char_id` = '$charid'; --
now all this does is produce a blank page... used to work great!
//$sql = SELECT * FROM `t_char` WHERE `t_char`.`char_id` = '21'; - i
used this code to test the page w/o the $charid string and it works FINE!!
$result=mysql_query( $sql );
if (!$result)
{
die(Could not query the database: br /.mysql_error());
}
I wrote a help ticket to Lunarpages where I am now hosted and asked them to
set the register_globals to ON thinking this was the problem based on what
I've read and the wrote back and told me that they use suPHP to parse php
files and I have the option of using custom php.ini files. That I could
create a .htaccess file or put individual php.ini files in the folder that
contains the files im running. In other words do it myself.
So I created this file:
[PHP]
register_globals = on
named it php.ini and dropped it in the folder with all of my files.
It didn't help any.
So I added this line to the first file
include ('php.ini');
all it does is add :[PHP] register_globals = on as text at the top of my
page now.
At this point im lost!! I don't know what to do to get my A
href=\view_char.php?charid=.$myrow[char_id]. to equal $charid in the
following pages.
Any help you could provide me would GREATLY be APPRECIATED!!!
Signed,
I'm trying
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] register_globals and passing variables
Hi Jeff,
You want to leave register_globals OFF. Depending on how $charid is passed,
you want to use $_POST or $_GET:
$charid = $_POST['charid'];
or
$charid = $_GET['charid'];
I think you'll need to do the same for your $db_select variable. Is that what
you're after?
Regards,
Bruce
Jeff [EMAIL PROTECTED] 14/03/2007 4:01 p.m.
Ok, all I am new to PHP MySQL. (please don't let this scare you off)
I had my site hosted with Gisol.com and due to their very poor service and
tech support I left them for Lunarpages.com who so far have a better service
and their tech support is excellent!! But my pages won't pass variables any
more.
When I started I purchased two books MySQL and PHP MySQL both published by
O'Riely. So far the are excellent help and instructors. I wote some pages
where I track users and their characters from an on-line game called World
of Warcraft.
On the Gisol server they were working EXCELLENT!!
Once I moved to Lunarpages, the pages load ok but they don't pass the
variables from one page to another.
The below code queries the db and list's the user's in a table, and has a
hyperlink to the right of each, on Gisol I could click the link and it would
load the view_char.php page and it listed their character and the info i
needed, and gave options to delete and edit. Again it was working
beautifully.
VIEW USERS PAGE CODE:
$sql=SELECT f_name, l_name, char_id, char_name, char_level FROM t_char,
t_users where t_users.user_id = t_char.user_link ORDER BY char_name ASC;
mysql_select_db($db_select,$db);
$result = mysql_query($sql,$db);
echo TABLE border=2;
echoTRTDBCharacter Name/BTDBCharacter
Level/BTDBOwner/B/TR;
while ($myrow = mysql_fetch_array($result))
{
echo
TRTD.$myrow[char_name].TD.$myrow[char_level].TD.$myrow[f_name].
.$myrow[l_name];
echo TDA href=\view_char.php?charid=.$myrow[char_id].\View/A;
}
//$charid=[.$myrow[char_id].]; - I tried this line with no success.
Possibly have it in the wrong place??
echo/TABLE;
VIEW_CHAR PAGE CODE
$sql = SELECT * FROM `t_char` WHERE `t_char`.`char_id` = '$charid'; --
now all this does is produce a blank page... used to work great!
//$sql = SELECT * FROM `t_char` WHERE `t_char`.`char_id` = '21'; - i
used this code to test the page w/o the $charid string and it works FINE!!
$result=mysql_query( $sql );
if (!$result)
{
die(Could not query the database: br /.mysql_error());
}
I wrote a help ticket to Lunarpages where I am now hosted and asked them to
set the register_globals to ON thinking this was the problem based on what
I've read and the wrote back and told me that they use suPHP to parse php
files and I have the option of using custom php.ini files. That I could
create a .htaccess file or put individual php.ini files in the folder that
contains the files im running. In other words do it myself.
So I created this file:
[PHP]
register_globals = on
named it php.ini and dropped it in the folder with all of my files.
It didn't help any.
So I added this line to the first file
include ('php.ini');
all it does is add :[PHP] register_globals = on as text at the top of my
page now.
At this point im lost!! I don't know what to do to get my A
href=\view_char.php?charid=.$myrow[char_id]. to equal $charid in the
following pages.
Any help you could provide me would GREATLY be APPRECIATED!!!
Signed,
I'm trying
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] register_globals and passing variables
Firstly, welcome to PHP. :-)
Secondly, that's not how you would enable register_globals if they're not
enabled.
Thirdly, you do not want to turn on register_globals. register globals are a
security risk. They're disabled by default on any recent (within the past 5
years) version of PHP, although some web hosts foolishly turn them on to be
compatible with code written 8 years ago that shouldn't be used anymore. :-)
Instead, access the proper super-global to get the data you want. For
instance:
$_GET['charid']
Will have the value of the charid GET parameter passed on the URL like so:
http://example.com/index.php?charid=5
There's also $_POST['charid'], which would check just a POST request. Use
those instead of just $charid.
Also, you'll want to ensure that they're the data type you expect to avoid SQL
injection, a security risk. For instance, assuming you know the character ID
will be an integer:
$charid = (int)$_GET['charid'];
Or even better:
$charid = isset($_GET['charid']) ? (int)$_GET['charid'] : 0;
That's the ternary operator, which is useful for setting defaults in cases
where, for instance, no charid was passed at all. That way you get back a 0,
so you know you have a value and that it's an integer.
Thank you for taking PHP Security 101 in a Nutshell. :-) Cheers.
On Tuesday 13 March 2007 10:01 pm, Jeff wrote:
Ok, all I am new to PHP MySQL. (please don't let this scare you off)
I had my site hosted with Gisol.com and due to their very poor service and
tech support I left them for Lunarpages.com who so far have a better
service and their tech support is excellent!! But my pages won't pass
variables any more.
When I started I purchased two books MySQL and PHP MySQL both published
by O'Riely. So far the are excellent help and instructors. I wote some
pages where I track users and their characters from an on-line game called
World of Warcraft.
On the Gisol server they were working EXCELLENT!!
Once I moved to Lunarpages, the pages load ok but they don't pass the
variables from one page to another.
The below code queries the db and list's the user's in a table, and has a
hyperlink to the right of each, on Gisol I could click the link and it
would load the view_char.php page and it listed their character and the
info i needed, and gave options to delete and edit. Again it was working
beautifully.
VIEW USERS PAGE CODE:
$sql=SELECT f_name, l_name, char_id, char_name, char_level FROM t_char,
t_users where t_users.user_id = t_char.user_link ORDER BY char_name ASC;
mysql_select_db($db_select,$db);
$result = mysql_query($sql,$db);
echo TABLE border=2;
echoTRTDBCharacter Name/BTDBCharacter
Level/BTDBOwner/B/TR;
while ($myrow = mysql_fetch_array($result))
{
echo
TRTD.$myrow[char_name].TD.$myrow[char_level].TD.$myrow[f
_name]. .$myrow[l_name];
echo TDA href=\view_char.php?charid=.$myrow[char_id].\View/A;
}
//$charid=[.$myrow[char_id].]; - I tried this line with no
success. Possibly have it in the wrong place??
echo/TABLE;
VIEW_CHAR PAGE CODE
$sql = SELECT * FROM `t_char` WHERE `t_char`.`char_id` = '$charid'; --
now all this does is produce a blank page... used to work great!
//$sql = SELECT * FROM `t_char` WHERE `t_char`.`char_id` = '21'; - i
used this code to test the page w/o the $charid string and it works FINE!!
$result=mysql_query( $sql );
if (!$result)
{
die(Could not query the database: br /.mysql_error());
}
I wrote a help ticket to Lunarpages where I am now hosted and asked them to
set the register_globals to ON thinking this was the problem based on what
I've read and the wrote back and told me that they use suPHP to parse php
files and I have the option of using custom php.ini files. That I could
create a .htaccess file or put individual php.ini files in the folder that
contains the files im running. In other words do it myself.
So I created this file:
[PHP]
register_globals = on
named it php.ini and dropped it in the folder with all of my files.
It didn't help any.
So I added this line to the first file
include ('php.ini');
all it does is add :[PHP] register_globals = on as text at the top of my
page now.
At this point im lost!! I don't know what to do to get my A
href=\view_char.php?charid=.$myrow[char_id]. to equal $charid in the
following pages.
Any help you could provide me would GREATLY be APPRECIATED!!!
Signed,
I'm trying
--
Larry Garfield AIM: LOLG42
[EMAIL PROTECTED] ICQ: 6817012
If nature has made any one thing less susceptible than all others of
exclusive property, it is the action of the thinking power called an idea,
which an individual may exclusively possess as long as he keeps it to
himself; but the moment it is divulged, it forces itself into the possession
of every one, and the receiver cannot dispossess himself of it. -- Thomas
Jefferson
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http
[PHP] register_globals
Hello. In my php.ini file register_globals has value Off. I have script ?php ini_set(register_globals, 0); echo ini_get(register_globals); ? Script echo 1. But if i create .htaccess in this dir which contains string php_value register_globals 0, my script return 0. Why i cann't change register_globals value with ini_set()? bye, mailto:[EMAIL PROTECTED], 4:11, 04.04.2004 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] register_globals
Hello, Sunday, April 4, 2004, 1:17:53 AM, you wrote: n Why i cann't change register_globals value with ini_set()? Because it's a system level configuration value - you cannot change it in your scripts. register_globals supports PHP_INI_PERDIR and PHP_INI_SYSTEM - meaning it can only be changed in the php.ini file or an htaccess file. -- Best regards, Richard Davey http://www.phpcommunity.org/wiki/296.html -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] REGISTER_GLOBALS set to off and other issues
I have REGISTER_GLOBALS set to off. I have read and read, but cannot figure out what I need to do code wise to keep from getting the following message: Warning: Unknown(): Your script possibly relies on a session side-effect which existed until PHP 4.2.3. Please be advised that the session extension does not consider global variables as a source of data, unless register_globals is enabled. You can disable this functionality and this warning by setting session.bug_compat_42 or session.bug_compat_warn to off, respectively. in Unknown on line 0 We upgrade from 4.1.1 about a month ago and since then several things are now broken. I need to know how to code around this problem so I don't get this WARNING. I am also having another problem since the upgrade. This seems to be a javascript problem, but it's weird that it's happened on two different servers just after a PHP upgrade. I have static page tops and bottoms that I call with an include for each page. Currently, I have all the javascripts that I use for my entire site in the header: script language=javascript src=library/script1.js/script script language=javascript src=library/script2.js/script etc... If use script1.js on page 1 but don't use script2.js, then I get a javascript error on script1.js. The reason I know this is that if I strip out all but what is essential to page 1, then the javascript runs error free, but if not, I get errors. I don't know if this is a php problem or not, but like I said above, I do know it started with the upgrades. I can deal with this though, because I know how to fix it. I will just take a while. This is a school site and they are on spring break right now. I have until Monday 3/29/2004 to get this fixed. The school's website, which includes homework assignments, lunch menu, etc... will be dead in the water until I do. -- Thanks, Alisa Davis - Madison Academy webmaster -- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] register_globals problem
I have a webpage that needs to use some specific php.ini settings different from other php applications on my web server. I have created a .htaccess file with the following content: php_flag register_globals 1 php_flag error_reporting E_ALL ~E_NOTICE It works fine, but only on Mozilla and Netscape. Internet explorer cannot process the content of this web page. The URL is http://e-technics.com/dorna/ . Anyone knows the remedy for this strange behaviour? Bogdan Albei eTechnics www.e-technics.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] register_globals problem
[snip] I have a webpage that needs to use some specific php.ini settings different from other php applications on my web server. I have created a .htaccess file with the following content: php_flag register_globals 1 php_flag error_reporting E_ALL ~E_NOTICE It works fine, but only on Mozilla and Netscape. Internet explorer cannot process the content of this web page. The URL is http://e-technics.com/dorna/ . Anyone knows the remedy for this strange behaviour? [/snip] Since PHP is server-side and IE is client-side it is probably not a problem with PHP. (I was able to replicate the problem you described) It could be a problem with Apache though, try adding AddType application/x-httpd-php .php to the .htaccess file. I don't think that will solve the problem though. Put a page in that directory called test.php with only ?php phpinfo(); ? and see if that will load properly. I have also seen this problem caused by JavaScript (you'll have to ask on a JavaScript list) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] register_globals problem
Jay Blanchard wrote: [snip] I have a webpage that needs to use some specific php.ini settings different from other php applications on my web server. I have created a .htaccess file with the following content: php_flag register_globals 1 php_flag error_reporting E_ALL ~E_NOTICE It works fine, but only on Mozilla and Netscape. Internet explorer cannot process the content of this web page. The URL is http://e-technics.com/dorna/ . Anyone knows the remedy for this strange behaviour? [/snip] Since PHP is server-side and IE is client-side it is probably not a problem with PHP. (I was able to replicate the problem you described) It could be a problem with Apache though, try adding AddType application/x-httpd-php .php to the .htaccess file. I don't think that will solve the problem though. Put a page in that directory called test.php with only ?php phpinfo(); ? and see if that will load properly. I have also seen this problem caused by JavaScript (you'll have to ask on a JavaScript list) It doesn't work at all if I put AddType application/x-httpd-php .php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] register_globals problem
[snip] Put a page in that directory called test.php with only ?php phpinfo(); ? It doesn't work at all if I put AddType application/x-httpd-php .php [/snip] Did you try the test.php above? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] register_globals problem
The only problem I see with that is that you're using the constants E_ALL and E_NOTICE in the .htaccess file. You can't use constants there, you need to use the actual number. (2047 ~8) == 2039: php_flag register_globals 1 php_flag error_reporting 2039 Chris -Original Message- From: Bogdan Albei [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 03, 2003 4:43 AM To: [EMAIL PROTECTED] Subject: [PHP] register_globals problem I have a webpage that needs to use some specific php.ini settings different from other php applications on my web server. I have created a .htaccess file with the following content: php_flag register_globals 1 php_flag error_reporting E_ALL ~E_NOTICE It works fine, but only on Mozilla and Netscape. Internet explorer cannot process the content of this web page. The URL is http://e-technics.com/dorna/ . Anyone knows the remedy for this strange behaviour? Bogdan Albei eTechnics www.e-technics.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] register_globals problem
Heh, sorry about that.. one more thing, php_flag is only for bollean values, this should work: php_flag register_globals on php_value error_reporting 2039 -Original Message- From: Chris [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 03, 2003 9:10 AM To: [EMAIL PROTECTED] Subject: RE: [PHP] register_globals problem The only problem I see with that is that you're using the constants E_ALL and E_NOTICE in the .htaccess file. You can't use constants there, you need to use the actual number. (2047 ~8) == 2039: php_flag register_globals 1 php_flag error_reporting 2039 Chris -Original Message- From: Bogdan Albei [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 03, 2003 4:43 AM To: [EMAIL PROTECTED] Subject: [PHP] register_globals problem I have a webpage that needs to use some specific php.ini settings different from other php applications on my web server. I have created a .htaccess file with the following content: php_flag register_globals 1 php_flag error_reporting E_ALL ~E_NOTICE It works fine, but only on Mozilla and Netscape. Internet explorer cannot process the content of this web page. The URL is http://e-technics.com/dorna/ . Anyone knows the remedy for this strange behaviour? Bogdan Albei eTechnics www.e-technics.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] register_globals problem
Jay Blanchard wrote: [snip] Put a page in that directory called test.php with only ?php phpinfo(); ? It doesn't work at all if I put AddType application/x-httpd-php .php [/snip] Did you try the test.php above? Yes, I have. Doesn't work. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] register_globals problem
[snip] Did you try the test.php above? Yes, I have. Doesn't work. [/snip] Then your httpd.conf in not configured properly. It would appear to me that PHP is not working at all. I went to the URL inquestion and did not find this test page, so it will be hard for me to help you. Does PHP work anywhere on your server? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] register_globals problem
Chris wrote: Heh, sorry about that.. one more thing, php_flag is only for bollean values, this should work: php_flag register_globals on php_value error_reporting 2039 -Original Message- From: Chris [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 03, 2003 9:10 AM To: [EMAIL PROTECTED] Subject: RE: [PHP] register_globals problem The only problem I see with that is that you're using the constants E_ALL and E_NOTICE in the .htaccess file. You can't use constants there, you need to use the actual number. (2047 ~8) == 2039: php_flag register_globals 1 php_flag error_reporting 2039 Chris -Original Message- From: Bogdan Albei [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 03, 2003 4:43 AM To: [EMAIL PROTECTED] Subject: [PHP] register_globals problem I have a webpage that needs to use some specific php.ini settings different from other php applications on my web server. I have created a .htaccess file with the following content: php_flag register_globals 1 php_flag error_reporting E_ALL ~E_NOTICE It works fine, but only on Mozilla and Netscape. Internet explorer cannot process the content of this web page. The URL is http://e-technics.com/dorna/ . Anyone knows the remedy for this strange behaviour? Bogdan Albei eTechnics www.e-technics.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php It doesn't work. After all a script that contains only phpinfo() (e-technics.com/dorna/info.php) works OK, but the webpage, which is a PhpNuke doesn't work. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] register_globals problem
[snip] It doesn't work. After all a script that contains only phpinfo() (e-technics.com/dorna/info.php) works OK, but the webpage, which is a PhpNuke doesn't work. [/snip] Actually info.php works in IE and reports register_global is ON locally (within that directory). Therefore, as I stated earlier, it is not a PHP problem. It is either an Apache configuration problem or a problem within the HTML/CSS/JavaScript code that is hanging IE. I have seen both CSS and JavaScript do this behavior. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] register_globals problem
Jay Blanchard wrote: [snip] It doesn't work. After all a script that contains only phpinfo() (e-technics.com/dorna/info.php) works OK, but the webpage, which is a PhpNuke doesn't work. [/snip] Actually info.php works in IE and reports register_global is ON locally (within that directory). Therefore, as I stated earlier, it is not a PHP problem. It is either an Apache configuration problem or a problem within the HTML/CSS/JavaScript code that is hanging IE. I have seen both CSS and JavaScript do this behavior. If I create an PHP environment such that I don't need to override register_globals and error_reporting with a .htaccess file it works just fine, so I guess the problem is in the .htaccess file. I posted my httpd.conf file at http://e-technics.com/dorna/httpd.conf. If I comment the lines Directory /usr/local/apache/htdocs/dorna AllowOverride All /Directory that makes the override possible, the page works fine, but I don't have register_globals and error_reporting as I want them. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] register_globals problem
[snip] If I create an PHP environment such that I don't need to override register_globals and error_reporting with a .htaccess file it works just fine, so I guess the problem is in the .htaccess file. I posted my httpd.conf file at http://e-technics.com/dorna/httpd.conf. If I comment the lines Directory /usr/local/apache/htdocs/dorna AllowOverride All /Directory that makes the override possible, the page works fine, but I don't have register_globals and error_reporting as I want them. [/snip] Actually, according to the info.php page for that directory register_globals is ON as you desire...correct? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] register_globals problem
Jay Blanchard wrote: [snip] If I create an PHP environment such that I don't need to override register_globals and error_reporting with a .htaccess file it works just fine, so I guess the problem is in the .htaccess file. I posted my httpd.conf file at http://e-technics.com/dorna/httpd.conf. If I comment the lines Directory /usr/local/apache/htdocs/dorna AllowOverride All /Directory that makes the override possible, the page works fine, but I don't have register_globals and error_reporting as I want them. [/snip] Actually, according to the info.php page for that directory register_globals is ON as you desire...correct? Correct, the .htaccess file overides just fine register_globals and error_reporting but somehow Internet Explorer and Konqueror does not load the page. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] register_globals problem
[snip] Actually, according to the info.php page for that directory register_globals is ON as you desire...correct? Correct, the .htaccess file overides just fine register_globals and error_reporting but somehow Internet Explorer and Konqueror does not load the page. [/snip] But IE and Konqueror both load the info.php correctly from my end. It is the index.php for Nukemods.com that gets hosed in those browsers. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] register_globals problem
Jay Blanchard wrote: [snip] Actually, according to the info.php page for that directory register_globals is ON as you desire...correct? Correct, the .htaccess file overides just fine register_globals and error_reporting but somehow Internet Explorer and Konqueror does not load the page. [/snip] But IE and Konqueror both load the info.php correctly from my end. It is the index.php for Nukemods.com that gets hosed in those browsers. So you're saying that index.php is broken? Then why it gets loaded fine if I delete the .htaccess file? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] register_globals problem
[snip] But IE and Konqueror both load the info.php correctly from my end. It is the index.php for Nukemods.com that gets hosed in those browsers. So you're saying that index.php is broken? Then why it gets loaded fine if I delete the .htaccess file? [/snip] That is exactly what I am saying. Is the .htacesss file deleted now? I'll go and see if it works. Leave both the index.php and the info.php in the directory. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] register_globals problem
Jay Blanchard wrote: [snip] But IE and Konqueror both load the info.php correctly from my end. It is the index.php for Nukemods.com that gets hosed in those browsers. So you're saying that index.php is broken? Then why it gets loaded fine if I delete the .htaccess file? [/snip] That is exactly what I am saying. Is the .htacesss file deleted now? I'll go and see if it works. Leave both the index.php and the info.php in the directory. I've deleted the .htaccess file. Both index.php and info.php are in the directory. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] register_globals security
Hi everyone, I have a PHP application that passes variables (values) from a form. I get these using $_POST However I do also post some variables via a link. Which ofcourse requires register_globals to be ON. I would like to secure this application. What would be the best way of doing this and how else can I pass/get values via a URL. Fern -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] register_globals security
Hi Fernando, I have a PHP application that passes variables (values) from a form. I get these using $_POST However I do also post some variables via a link. Which ofcourse requires register_globals to be ON. Do you mean variables in a URL, like this: www.example.com/index.php?foo=1bar=2 If so you can access these via the $_GET array and leave register_globals turned off. Cheers Jon -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] register_globals security
Thanks. I don't see how this makes it more secure though? The values are still picked up the same way from a URL -Original Message- From: Jon Haworth [mailto:[EMAIL PROTECTED] Sent: 13 November 2003 13:28 To: [EMAIL PROTECTED] Subject: Re: [PHP] register_globals security Hi Fernando, I have a PHP application that passes variables (values) from a form. I get these using $_POST However I do also post some variables via a link. Which ofcourse requires register_globals to be ON. Do you mean variables in a URL, like this: www.example.com/index.php?foo=1bar=2 If so you can access these via the $_GET array and leave register_globals turned off. Cheers Jon -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] register_globals security
On Thu, Nov 13, 2003 at 01:55:08PM +0200, Fernando Melo wrote: : Jon Haworth responded: : : Fernando Melo wrote: : : : : I have a PHP application that passes variables (values) from a form. : : I get these using $_POST : : : : However I do also post some variables via a link. Which ofcourse : : requires register_globals to be ON. : : : : Do you mean variables in a URL, like this: : : www.example.com/index.php?foo=1bar=2 : : : : If so you can access these via the $_GET array and leave : : register_globals turned off. : : Thanks. : : I don't see how this makes it more secure though? : : The values are still picked up the same way from a URL If you want to prevent casual packet sniffing, you need to move your code to a SSL-enabled web server. If you want to minimize data exchange between PHP pages via POST or GET methods, consider switching to sessions. http://www.php.net/manual/en/ref.session.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] register_globals security
Hi, There is also a $_REQUEST variable. At the risk of starting another flame war: IMHO switching off register globals and relying on $_POST etc can lull you into a false sense of security. Fernando Melo wrote: Thanks. I don't see how this makes it more secure though? The values are still picked up the same way from a URL -Original Message- From: Jon Haworth [mailto:[EMAIL PROTECTED] Sent: 13 November 2003 13:28 To: [EMAIL PROTECTED] Subject: Re: [PHP] register_globals security Hi Fernando, I have a PHP application that passes variables (values) from a form. I get these using $_POST However I do also post some variables via a link. Which ofcourse requires register_globals to be ON. Do you mean variables in a URL, like this: www.example.com/index.php?foo=1bar=2 If so you can access these via the $_GET array and leave register_globals turned off. Cheers Jon -- Raditha Dissanayake. http://www.radinks.com/sftp/ | http://www.raditha.com/megaupload Lean and mean Secure FTP applet with | Mega Upload - PHP file uploader Graphical User Inteface. Just 150 KB | with progress bar. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] register_globals security
Yup I still don't see how it improves anything with regards to security. -Original Message- From: Raditha Dissanayake [mailto:[EMAIL PROTECTED] Sent: 13 November 2003 15:24 To: [EMAIL PROTECTED] Subject: Re: [PHP] register_globals security Hi, There is also a $_REQUEST variable. At the risk of starting another flame war: IMHO switching off register globals and relying on $_POST etc can lull you into a false sense of security. Fernando Melo wrote: Thanks. I don't see how this makes it more secure though? The values are still picked up the same way from a URL -Original Message- From: Jon Haworth [mailto:[EMAIL PROTECTED] Sent: 13 November 2003 13:28 To: [EMAIL PROTECTED] Subject: Re: [PHP] register_globals security Hi Fernando, I have a PHP application that passes variables (values) from a form. I get these using $_POST However I do also post some variables via a link. Which ofcourse requires register_globals to be ON. Do you mean variables in a URL, like this: www.example.com/index.php?foo=1bar=2 If so you can access these via the $_GET array and leave register_globals turned off. Cheers Jon -- Raditha Dissanayake. http://www.radinks.com/sftp/ | http://www.raditha.com/megaupload Lean and mean Secure FTP applet with | Mega Upload - PHP file uploader Graphical User Inteface. Just 150 KB | with progress bar. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] register_globals security
[snip] There is also a $_REQUEST variable. At the risk of starting another flame war: IMHO switching off register globals and relying on $_POST etc can lull you into a false sense of security. [/snip] ***applause*** Bottom-lineas I just said in another threadinitialize your variables and validate them when you get them from 'outside' sources -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] register_globals security
Hi, Jay and Eugene have already made very good suggestions. To add to that you can always try filtering your variables with strip_tags(), htmlspecialchars(), addslashes() etc to protect against attacks. all the best Fernando Melo wrote: Yup I still don't see how it improves anything with regards to security. -Original Message- From: Raditha Dissanayake [mailto:[EMAIL PROTECTED] Sent: 13 November 2003 15:24 To: [EMAIL PROTECTED] Subject: Re: [PHP] register_globals security Hi, There is also a $_REQUEST variable. At the risk of starting another flame war: IMHO switching off register globals and relying on $_POST etc can lull you into a false sense of security. Fernando Melo wrote: Thanks. I don't see how this makes it more secure though? The values are still picked up the same way from a URL -- Raditha Dissanayake. http://www.radinks.com/sftp/ | http://www.raditha.com/megaupload Lean and mean Secure FTP applet with | Mega Upload - PHP file uploader Graphical User Inteface. Just 150 KB | with progress bar. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] register_globals security
--- Fernando Melo [EMAIL PROTECTED] wrote: I have a PHP application that passes variables (values) from a form. I get these using $_POST However I do also post some variables via a link. Which ofcourse requires register_globals to be ON. This is a common problem I see on this list. When asking a question, try not to make assumptions or attempt to answer your own question. In this case, your assumption is wrong. This does not require register_globals to be on. Get variables are in $_GET, and POST variables are in $_POST. Hope that helps. Chris = My Blog http://shiflett.org/ HTTP Developer's Handbook http://httphandbook.org/ RAMP Training Courses http://www.nyphp.org/ramp -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] register_globals security
--- Raditha Dissanayake [EMAIL PROTECTED] wrote: At the risk of starting another flame war: IMHO switching off register globals and relying on $_POST etc can lull you into a false sense of security. I agree, and this is more true with the safe_mode directive, which I have always thought was poorly named (although I don't have a better suggestion). Disabling register_globals is a good thing, however, and it at least forces developers to understand where their data is coming from. This is a good first step, in my opinion. Chris = My Blog http://shiflett.org/ HTTP Developer's Handbook http://httphandbook.org/ RAMP Training Courses http://www.nyphp.org/ramp -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] register_globals security
I was not making an assumption. I was stating a fact. I get these using $_POST I did NOT state that register_globals needs to be on to do what I'm doing. It seems everyone else understood my query except you. Thanks to everyone who tried to help! -Original Message- From: Chris Shiflett [mailto:[EMAIL PROTECTED] Sent: 13 November 2003 17:07 To: Fernando Melo; '[EMAIL PROTECTED]' Subject: Re: [PHP] register_globals security --- Fernando Melo [EMAIL PROTECTED] wrote: I have a PHP application that passes variables (values) from a form. I get these using $_POST However I do also post some variables via a link. Which ofcourse requires register_globals to be ON. This is a common problem I see on this list. When asking a question, try not to make assumptions or attempt to answer your own question. In this case, your assumption is wrong. This does not require register_globals to be on. Get variables are in $_GET, and POST variables are in $_POST. Hope that helps. Chris = My Blog http://shiflett.org/ HTTP Developer's Handbook http://httphandbook.org/ RAMP Training Courses http://www.nyphp.org/ramp -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] register_globals security
--- Fernando Melo [EMAIL PROTECTED] wrote: I was not making an assumption. I was stating a fact. I get these using $_POST I did NOT state that register_globals needs to be on to do what I'm doing. If you're going to make false claims about what you previously said, you might want to snip out that part when replying. :-) --- Fernando Melo [EMAIL PROTECTED] wrote: Which ofcourse requires register_globals to be ON. Chris = My Blog http://shiflett.org/ HTTP Developer's Handbook http://httphandbook.org/ RAMP Training Courses http://www.nyphp.org/ramp -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] register_globals
Hi all, I use suse8.2 professional I have upgraded php 4.3.1 to 4.3.3 with rpm suse project. In the php.ini I have set the registr_globals=3D Off and Ih th directory /srv/www/html/mysites1 I have created the file .htaccess with: php_flag register_globals on for only this site. With the function phpinfo I have see that the Master Value is Off and the= Load Value is On but the site don't running successfully. With suse8.1 with php4.2.2 I have nothing problem. Any idea ? Thankind in advance and sorry for my english. Giuliano. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] register_globals
[snip] With the function phpinfo I have see that the Master Value is Off and the= Load Value is On but the site don't running successfully. With suse8.1 with php4.2.2 I have nothing problem. Any idea ? [/snip] Does the site rely on files outside of that directory? Do you 'allow overrides' for the directory in Apache? (httpd.conf) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] register_globals
--- [EMAIL PROTECTED] wrote: In the php.ini I have set the registr_globals=3D Off I'm assuming that 3D was put in there by some faulty mail client? Also, make sure you spell it register_globals. php_flag register_globals on for only this site. With the function phpinfo I have see that the Master Value is Off and the Load Value is On but the site don't running successfully. Well, that sounds like what you are trying to do? What is wrong exactly? Not every error is the fault of register_globals, after all. :-) Chris = My Blog http://shiflett.org/ HTTP Developer's Handbook http://httphandbook.org/ RAMP Training Courses http://www.nyphp.org/ramp -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] register_globals
--- [EMAIL PROTECTED] wrote: The problem concern: The correct site is: www.gardafun.com with apache.1.3.27 and php-4.0.6 with register_globals = On The new webserver is 213.21.138.119 with suse8.2 apache1.3.27 and php-4.3.3 with register_globals=off in the php.ini and in the .htaccess the directive: php_flag register_globals on The same sites don't work in the new websites but with the phpinfo I see that the Load Value for register_globals for this site is On. You need to explain what is wrong. You seem confident that register_globals is your problem, but you've not told us why you think so. Chris = My Blog http://shiflett.org/ HTTP Developer's Handbook http://httphandbook.org/ RAMP Training Courses http://www.nyphp.org/ramp -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] register_globals
Please include the list in all of your replies. I skim message subjects and don't read all messages. If you reply only to me, there's a good chance it will not be read, and no one else will have a chance to answer your question. --- [EMAIL PROTECTED] wrote: As i know, if register_globals is turned to on, my site should run as on a 4.0.6 php server, right? No, register_globals is not the only change that has been made to PHP since 4.0.6. That would be the only way that enabling register_globals on a new version of PHP would be guaranteed to run exactly like version 4.0.6. But it doesn't run correctly, quieres are not working and others many problems. You really need to explain what your problem is. This is the third time you've been asked to do so. We cannot possibly read your mind and answer a question you have not asked. Chris = My Blog http://shiflett.org/ HTTP Developer's Handbook http://httphandbook.org/ RAMP Training Courses http://www.nyphp.org/ramp -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] register_globals won't turn off!
Well, it does turn off. At least phpinfo() says that it's off. However, PHP is acting as though it's still turned on. The source code for the page I'm using to test this odd result is: html head /head body form action=?=$_SERVER['PHP_SELF']? method=post input name=test input type=submit /form /body /html ?php print $test; phpinfo(); ? I'm running PHP 4.3.3 on RH7. When the form is submited, the value is printed despite the fact it's printing $test and not $_POST['test']. This is copy pasted from the results: register_argc_argv Off Off register_globals Off Off I'm completely stumped. Thanks in advance, Damon -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] register_globals won't turn off!
I don't know much about this, but could it have been cached? Cristian Damon Kohler wrote: Well, it does turn off. At least phpinfo() says that it's off. However, PHP is acting as though it's still turned on. The source code for the page I'm using to test this odd result is: html head /head body form action=?=$_SERVER['PHP_SELF']? method=post input name=test input type=submit /form /body /html ?php print $test; phpinfo(); I'm running PHP 4.3.3 on RH7. When the form is submited, the value is printed despite the fact it's printing $test and not $_POST['test']. This is copy pasted from the results: register_argc_argv Off Off register_globals Off Off I'm completely stumped. Thanks in advance, Damon -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] register_globals won't turn off!
No, it's not cached. I can type in anything to the input and it'll show up. As in, if I type test into the form, it prints test. Then if I type hello world it'll print hello world. So I'm pretty sure caching isn't the problem. Damon Cristian Lavaque [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] I don't know much about this, but could it have been cached? Cristian Damon Kohler wrote: Well, it does turn off. At least phpinfo() says that it's off. However, PHP is acting as though it's still turned on. The source code for the page I'm using to test this odd result is: html head /head body form action=?=$_SERVER['PHP_SELF']? method=post input name=test input type=submit /form /body /html ?php print $test; phpinfo(); I'm running PHP 4.3.3 on RH7. When the form is submited, the value is printed despite the fact it's printing $test and not $_POST['test']. This is copy pasted from the results: register_argc_argv Off Off register_globals Off Off I'm completely stumped. Thanks in advance, Damon -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] register_globals won't turn off!
Are you using third party code that might be doing the export to global space itself? Rob. On Sat, 2003-09-27 at 22:21, Damon Kohler wrote: No, it's not cached. I can type in anything to the input and it'll show up. As in, if I type test into the form, it prints test. Then if I type hello world it'll print hello world. So I'm pretty sure caching isn't the problem. Damon Cristian Lavaque [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] I don't know much about this, but could it have been cached? Cristian Damon Kohler wrote: Well, it does turn off. At least phpinfo() says that it's off. However, PHP is acting as though it's still turned on. The source code for the page I'm using to test this odd result is: html head /head body form action=?=$_SERVER['PHP_SELF']? method=post input name=test input type=submit /form /body /html ?php print $test; phpinfo(); I'm running PHP 4.3.3 on RH7. When the form is submited, the value is printed despite the fact it's printing $test and not $_POST['test']. This is copy pasted from the results: register_argc_argv Off Off register_globals Off Off I'm completely stumped. Thanks in advance, Damon -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- .. | InterJinn Application Framework - http://www.interjinn.com | :: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] register_globals won't turn off!
I don't think so... You have something particular in mind? You can check out the page itself at http://my.innermetrix.cc/test.php Damon Robert Cummings [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Are you using third party code that might be doing the export to global space itself? Rob. On Sat, 2003-09-27 at 22:21, Damon Kohler wrote: No, it's not cached. I can type in anything to the input and it'll show up. As in, if I type test into the form, it prints test. Then if I type hello world it'll print hello world. So I'm pretty sure caching isn't the problem. Damon Cristian Lavaque [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] I don't know much about this, but could it have been cached? Cristian Damon Kohler wrote: Well, it does turn off. At least phpinfo() says that it's off. However, PHP is acting as though it's still turned on. The source code for the page I'm using to test this odd result is: html head /head body form action=?=$_SERVER['PHP_SELF']? method=post input name=test input type=submit /form /body /html ?php print $test; phpinfo(); I'm running PHP 4.3.3 on RH7. When the form is submited, the value is printed despite the fact it's printing $test and not $_POST['test']. This is copy pasted from the results: register_argc_argv Off Off register_globals Off Off I'm completely stumped. Thanks in advance, Damon -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- .. | InterJinn Application Framework - http://www.interjinn.com | :: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] register_globals won't turn off!
On Sat, 27 Sep 2003 20:05:10 -0400 Damon Kohler [EMAIL PROTECTED] wrote: Well, it does turn off. At least phpinfo() says that it's off. However, PHP is acting as though it's still turned on. The source code for the page I'm using to test this odd result is: snip I'm running PHP 4.3.3 on RH7. When the form is submited, the value is printed despite the fact it's printing $test and not $_POST['test']. This is copy pasted from the results: register_argc_argv Off Off register_globals Off Off I'm completely stumped. Thanks in advance, Damon Did you reload your http server? -- Raquel If our words are not consistent with our actions, they will never be heard above the thunder of our deeds. --H. Burke Peterson -- Raquel If our words are not consistent with our actions, they will never be heard above the thunder of our deeds. --H. Burke Peterson -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] register_globals
Rather than turning on register globals system wide I'd use .htaccess to enable register globals for the specific sites or applications that require them. Because the super globals have been introduced the problem with register globals and application security may be more prounounced for applications that don't expect them to be on (granted they should check and make sure they are off but you never know :)). The PHP manual has a section on alterting PHP's configuration with the .htaccess file. Jason Deependra b. Tandukar wrote: Hi, I have configured PHP 4.3.3 in which register_gloabals is set to be off. I modified etc/php.ini and set it to be On but still it shows it is off and some developed applications in php are asking for it to be turned on. How do I do this? Regards, DT -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] register_globals
Hi, I have configured PHP 4.3.3 in which register_gloabals is set to be off. I modified etc/php.ini and set it to be On but still it shows it is off and some developed applications in php are asking for it to be turned on. How do I do this? Regards, DT -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] register_globals
Deependra b. Tandukar wrote: Hi, I have configured PHP 4.3.3 in which register_gloabals is set to be off. I modified etc/php.ini and set it to be On but still it shows it is off and some developed applications in php are asking for it to be turned on. How do I do this? Did you restart the web server? Look at a phpinfo() page in the first block for the configuration file setting and make sure you're editing the right php.ini file. -- ---John Holmes... Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/ php|architect: The Magazine for PHP Professionals www.phparch.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] register_globals
Try restarting your apache. -murugesan - Original Message - From: Deependra b. Tandukar [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, September 03, 2003 10:09 AM Subject: [PHP] register_globals Hi, I have configured PHP 4.3.3 in which register_gloabals is set to be off. I modified etc/php.ini and set it to be On but still it shows it is off and some developed applications in php are asking for it to be turned on. How do I do this? Regards, DT -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] register_globals per virtual host
a while ago we upgraded the php installations on our servers. for a quick fix we set register_globals to on for code compatibility. Since then we have been cleaning up code to eliminate this. We likely still have some virtual hosts who are using these globals though, so while we are wanting them to modify their code, we wish to turn globals off for the rest of the server, and allow those sites to be the exception to the rule. Assumption is that adding a php_admin_value register_globals on to selected virtual host containers in apache will allow that particular site access to the globals while allowing the default (off) for the remainder of the sites. Is the assumption correct? Ramifications or caveats that should be considered? Dave -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] register_globals per virtual host
Hi, I think you want to use: php_value register_globals Off I have this setup in VirtualHost's and in .htaccess files. The difference between php_value and php_admin_value is that php_admin_value can not be overridden in a .htaccess file or VirtualHost. So if you want to enforce some settings and allow users to change others you can force them with php_admin_value. -- Abdul-Wahid Paterson Lintrix Networking Communications ltd. Web: http://www.lintrix.net/ Tel: +44 7801 070621 Email/Jabber: [EMAIL PROTECTED] Web-Hosting | Development | Security | Consultancy | Domains signature.asc Description: This is a digitally signed message part
[PHP] Register_globals question
I found a class that allows you to have a multiple page listing, where
it displays a certain number of items, and then you click on the next
page to show the next results. I found that it needs to have
register_globals turned on. I am learning, and would like to have
someone look at the class to tell me where in this class
register_globals is required. I have emailed the person that created
the class, I am just trying to understand this.
Mike
Here is the class code:
?
class pn_buttons{
/* Public Variables */
var $query_total_pages = 0;
var $limited_query;
var $next_button;
var $previous_button;
/* Functions */
function pn_buttons($sql, $step, $page=0){
$result = mysql_query( $sql );
$query_total_rows = mysql_num_rows( $result );
// if query return some rows
if ( $query_total_rows0 ){
if ( $query_total_rows%$step!=0 ){
$total_pages = intval( $query_total_rows/$step)+1;
}else{
$total_pages = $query_total_rows/$step ;
}
$this-query_total_pages = $total_pages;
// if page is set
if ( empty($page) ) {
$from = 0;
$this-current_page= 1;
}else{
if ( $page = $this-query_total_pages ) {
$from = $step * ( $page - 1 );
$this-current_page= $page;
}else{
$from = 0;
$this-current_page= 1;
}
}
$this-limited_query = $sql . LIMIT . $from ., .
$step;
}
} // end function
// create previous and next buttons
function make_buttons( $link, $link_params, $txt_next=next,
$txt_previous=previous, $image= ){
if ( $this-query_total_pages1 ){
if ( ($this-current_page $this-query_total_pages)
($this-current_page1) ){
$next_page = $this-current_page+1;
$prev_page = $this-current_page-1;
$next_lnk = a href='.$link . $link_params .
page=. $next_page .'$txt_next/a;
$prev_lnk = a href='.$link . $link_params .
page=. $prev_page .'$txt_previous/a;
}else if( ($this-current_page
$this-query_total_pages) ($this-current_page==1) ){
$next_page = $this-current_page+1;
$prev_page = ;
$next_lnk = a href='.$link . $link_params .
page=. $next_page .'$txt_next/a;
$prev_lnk = ;
}else if( $this-current_page = $this-query_total_pages
){
$next_page = ;
$prev_page = $this-current_page-1;
$next_lnk = ;
$prev_lnk = a href='.$link . $link_params .
page=. $prev_page .'$txt_previous/a;
}
$this-next_button = $next_lnk;
$this-previous_button = $prev_lnk;
}
} // end function
// display all pages
function count_all_pages( $link, $link_params ){
for ($i=1; $i=$this-query_total_pages; $i++){
if ($i==$this-current_page){
echo b[$i]/b;
}else{
echo a href='$link$link_paramspage=$i'[$i]/a;
}
}
}
} // end Class
?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Register_globals question
I found a class that allows you to have a multiple page listing, where
it displays a certain number of items, and then you click on the next
page to show the next results. I found that it needs to have
register_globals turned on. I am learning, and would like to have
someone look at the class to tell me where in this class
register_globals is required. I have emailed the person that created
the class, I am just trying to understand this.
Mike
Here is the class code:
?
class pn_buttons{
/* Public Variables */
var $query_total_pages = 0;
var $limited_query;
var $next_button;
var $previous_button;
/* Functions */
function pn_buttons($sql, $step, $page=0){
$result = mysql_query( $sql );
$query_total_rows = mysql_num_rows( $result );
// if query return some rows
if ( $query_total_rows0 ){
if ( $query_total_rows%$step!=0 ){
$total_pages = intval( $query_total_rows/$step)+1;
}else{
$total_pages = $query_total_rows/$step ;
}
$this-query_total_pages = $total_pages;
// if page is set
if ( empty($page) ) {
$from = 0;
$this-current_page= 1;
}else{
if ( $page = $this-query_total_pages ) {
$from = $step * ( $page - 1 );
$this-current_page= $page;
}else{
$from = 0;
$this-current_page= 1;
}
}
$this-limited_query = $sql . LIMIT . $from ., .
$step;
}
} // end function
// create previous and next buttons
function make_buttons( $link, $link_params, $txt_next=next,
$txt_previous=previous, $image= ){
if ( $this-query_total_pages1 ){
if ( ($this-current_page $this-query_total_pages)
($this-current_page1) ){
$next_page = $this-current_page+1;
$prev_page = $this-current_page-1;
$next_lnk = a href='.$link . $link_params .
page=. $next_page .'$txt_next/a;
$prev_lnk = a href='.$link . $link_params .
page=. $prev_page .'$txt_previous/a;
}else if( ($this-current_page
$this-query_total_pages) ($this-current_page==1) ){
$next_page = $this-current_page+1;
$prev_page = ;
$next_lnk = a href='.$link . $link_params .
page=. $next_page .'$txt_next/a;
$prev_lnk = ;
}else if( $this-current_page = $this-query_total_pages
){
$next_page = ;
$prev_page = $this-current_page-1;
$next_lnk = ;
$prev_lnk = a href='.$link . $link_params .
page=. $prev_page .'$txt_previous/a;
}
$this-next_button = $next_lnk;
$this-previous_button = $prev_lnk;
}
} // end function
// display all pages
function count_all_pages( $link, $link_params ){
for ($i=1; $i=$this-query_total_pages; $i++){
if ($i==$this-current_page){
echo b[$i]/b;
}else{
echo a href='$link$link_paramspage=$i'[$i]/a;
}
}
}
} // end Class
Since it's a class, register_global variables would not have any scope
within it. Since there are no 'global' calls in any of the methods, it
doesn't look like it's relying on any outside variables. Everything this
script acts upon is passed to it, so it does not rely on register globals.
How this class was implemented may rely on them, though.
---John Holmes...
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Register_globals question
Well, I know it has something to do with register_globals, because it
only starts working when I turn register_globals on. If it is off, the
script doesn't work.
Here is the php file that calls to the class. It doesn't seem to have
anything that is global, but as I said before, I am not very familiar
with this.
?
mysql_connect(localhost,username,password);
mysql_select_db(MyDatabase);
// this is a dump variable just for demonstration purposes
$cod= 5;
// how many rows do you want per page???
$step = 10;
# Include class file
include (pn.class.php);
# the sql query without Limit
$sql = select asset_id, developer, title, version, platform from
software_assets ORDER BY asset_id;
$res= mysql_query( $sql );
$total = mysql_num_rows( $res );
# initiate class
# parameters explanation
# 1st param : the sql query without Limit expretion
# 2nd param : number of elements to display per page.
# 3rd param : current page; this should be null
# 4rth param : total rows of query
//$buttons = new pn_buttons( $sql, $step, $page );
$buttons = new pn_buttons( $sql, $step, $page, $total );
# $buttons-limited_query is the sql query with limit expretion
# class create this
$res = mysql_query ($buttons-limited_query);
echo
html
body;
// table headers describing columns
echo
table width=\500\ border=\1\ cellspacing=\5\
cellpadding=\3\
tr bgcolor=\#bb\
td align=\center\bAsset ID/b/td
td align=\center\bDeveloper/b/td
td align=\center\bSoftware Title/b/td
td align=\center\bVersion/b/td
td align=\center\bPlatform/b/td
/tr
;
// list elements one by one until there are no more in the database
while ( list ( $asset_id, $developer, $title, $version, $platform ) =
mysql_fetch_row($res) ){
echo
tr
td align=\left\a
href=\editsoftwareasset.php?id=$asset_id\$asset_id/a/td
/td
td align=\left\$developer
/td
td align=\left\$title
/td
td align=\left\$version
/td
td align=\left\$platform
/td
/tr
;
}
// close table once list elements loop is finished
echo /table;
// Beginning of prev/next buttons. Will be centered in the table.
echo
table width=\500\ border=\1\
tr align=\center\
td
center;
# Create Prev and next buttons
# parameters explanation
# 1st param : the page that displays results with ? at the end
# 2nd param : additional url parameters e.g. cid=$cidtop=$top
# 3rd param : Text to display in next link
# 4th param : Text to display in previous link
$buttons-make_buttons(pn_classexample.php?,cid=$cod,Next
Results, Previous Results);
# display previous and next links
echo $buttons-previous_button . nbsp;nbsp;
.$buttons-next_button;
# display current page number and total pages number
echo brPage . $buttons-current_page . of .
$buttons-query_total_pages;
echo brbrbr;
echo $buttons-count_all_pages(pn_classexample.php?,cid=$cid);
?
/center
/td
/tr
/table
/body
/html
On Tuesday, March 18, 2003, at 11:02 AM, CPT John W. Holmes wrote:
I found a class that allows you to have a multiple page listing, where
it displays a certain number of items, and then you click on the next
page to show the next results. I found that it needs to have
register_globals turned on. I am learning, and would like to have
someone look at the class to tell me where in this class
register_globals is required. I have emailed the person that created
the class, I am just trying to understand this.
Mike
Here is the class code:
?
class pn_buttons{
/* Public Variables */
var $query_total_pages = 0;
var $limited_query;
var $next_button;
var $previous_button;
/* Functions */
function pn_buttons($sql, $step, $page=0){
$result = mysql_query( $sql );
$query_total_rows = mysql_num_rows( $result );
// if query return some rows
if ( $query_total_rows0 ){
if ( $query_total_rows%$step!=0 ){
$total_pages = intval( $query_total_rows/$step)+1;
}else{
$total_pages = $query_total_rows/$step ;
}
$this-query_total_pages = $total_pages;
// if page is set
if ( empty($page) ) {
$from = 0;
$this-current_page= 1;
}else{
if ( $page = $this-query_total_pages ) {
$from = $step * ( $page - 1 );
$this-current_page= $page;
}else{
$from = 0;
$this-current_page= 1;
}
}
$this-limited_query = $sql . LIMIT . $from ., .
$step;
}
} // end function
// create previous and next buttons
function make_buttons( $link, $link_params, $txt_next=next,
$txt_previous=previous, $image= ){
if ( $this-query_total_pages1 ){
if (
RE: [PHP] register_globals On
I'm thinking of running a shopping cart package (osCommerce)
that requires
register_globals to be enabled. With all the warnings about
security with
register_globals enabled I'm worried.
How dangerous is it?
The key defensive step is to initialize all of your session variables at the
time you create them, like so:
$isAdmin = '';
session_register('isAdmin');
PHP will do the rest ;)
Kirk
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] register_globals On
I'm thinking of running a shopping cart package (osCommerce) that requires register_globals to be enabled. With all the warnings about security with register_globals enabled I'm worried. How dangerous is it? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] register_globals On
Sam, The register_globals can be dangerous to turn on but it really depends on the quality of code that the shopping cart was written. See Examples below for explanation. Say you had a script that looked like this. ?PHP $Q = Select * from Stored CreditCards where User='$User'; . Retrive info from DB . Charge Credit Card . Do Other Stuff. ? With register_globals = on the I could do the following to the URL and force the systsem to bill someone else. chargecredit.php?User=Joe Basically if register_globals = off protects you from that type of URL hacking. It just depends on how it is written and how thought out the shopping cart script is. Hope this helped. Jonathan Pitcher On Monday, February 17, 2003, at 07:09 AM, Sam wrote: I'm thinking of running a shopping cart package (osCommerce) that requires register_globals to be enabled. With all the warnings about security with register_globals enabled I'm worried. How dangerous is it? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] register_globals On
yeh, I'd strongly agree with Jonathan's view that quality of the code can mitigate against the dangers of register_globals. FYI, an interesting article on php vulnerabilities is at: http://www.securereality.com.au/studyinscarlet.txt David Eisenhart Jonathan Pitcher [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Sam, The register_globals can be dangerous to turn on but it really depends on the quality of code that the shopping cart was written. See Examples below for explanation. Say you had a script that looked like this. ?PHP $Q = Select * from Stored CreditCards where User='$User'; . Retrive info from DB . Charge Credit Card . Do Other Stuff. ? With register_globals = on the I could do the following to the URL and force the systsem to bill someone else. chargecredit.php?User=Joe Basically if register_globals = off protects you from that type of URL hacking. It just depends on how it is written and how thought out the shopping cart script is. Hope this helped. Jonathan Pitcher On Monday, February 17, 2003, at 07:09 AM, Sam wrote: I'm thinking of running a shopping cart package (osCommerce) that requires register_globals to be enabled. With all the warnings about security with register_globals enabled I'm worried. How dangerous is it? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] register_globals
three solutions:
1. turn register_globals off for compatibility purposes via .htaccess
file in the script's directory
2. create a auto_prepend file with the following: extract($_GET), this
should do the trick
3. rewrite the whole code to make any user-input (form) variable to be
$_REQUEST or $_GET/$_POST respectively
--
Maxim Maletsky
[EMAIL PROTECTED]
Kiswa [EMAIL PROTECTED] wrote... :
I know its stupid but i´ve been writing a site for a register_globals = on
enviroment
now i need to convert all the code to an off setting
the page is built by sending a whole lot off vars to diferent pages.
as you can see below the hyperlink sends the id var to the same page and
then echos the code.
can anyone help humpty dumpty?
font size=2a href=left.php?id=1 target=_selfFinansiering/aBR
?
If($id==1){
echo a href=info/leas.htm target=\mainFrame\font
color=\#00\Leasing/font/aBR
a href=info/avb.htm target=\mainFrame\font color=\#00\Räntefri
avbet./font/aBR
a href=info/stul.htm target=\mainFrame\font
color=\#00\Studentlån/font/aBR;
};
?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] register_globals
I know its stupid but i´ve been writing a site for a register_globals = on
enviroment
now i need to convert all the code to an off setting
the page is built by sending a whole lot off vars to diferent pages.
as you can see below the hyperlink sends the id var to the same page and
then echos the code.
can anyone help humpty dumpty?
font size=2a href=left.php?id=1 target=_selfFinansiering/aBR
?
If($id==1){
echo a href=info/leas.htm target=\mainFrame\font
color=\#00\Leasing/font/aBR
a href=info/avb.htm target=\mainFrame\font color=\#00\Räntefri
avbet./font/aBR
a href=info/stul.htm target=\mainFrame\font
color=\#00\Studentlån/font/aBR;
};
?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] register_globals
on 29/01/03 6:41 AM, Kiswa ([EMAIL PROTECTED]) wrote:
change If($id==1){ to If($_GET['id']==1){
or put this line near the top of your script:
$id = $_GET['id'];
or, a little more anal:
if(isset($_GET['id'])) { $id = $_GET['id']; }
Justin
font size=2a href=left.php?id=1 target=_selfFinansiering/aBR
?
If($id==1){
echo a href=info/leas.htm target=\mainFrame\font
color=\#00\Leasing/font/aBR
a href=info/avb.htm target=\mainFrame\font color=\#00\Räntefri
avbet./font/aBR
a href=info/stul.htm target=\mainFrame\font
color=\#00\Studentlån/font/aBR;
};
?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Register_globals = off-compliant form class?
I'm looking for a good class for forms that will work with register_globals off. I was planning to modify Manuel Lemos's class, but it turned out to be too big of a task. Any ideas? -- The above message is encrypted with double rot13 encoding. Any unauthorized attempt to decrypt it will be prosecuted to the full extent of the law. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Register_globals = off-compliant form class?
try using pear... On Sat, 2002-11-16 at 22:53, Leif K-Brooks wrote: I'm looking for a good class for forms that will work with register_globals off. I was planning to modify Manuel Lemos's class, but it turned out to be too big of a task. Any ideas? -- The above message is encrypted with double rot13 encoding. Any unauthorized attempt to decrypt it will be prosecuted to the full extent of the law. -- .: B i g D o g :. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Register_globals = off version of Manuel Lemos's form class?
I am planning to use Manuel Lemos's form class for a web site I am working on. However, I need to have register_globals set to off. I was planning to rewrite the portions of the class that access submitted form values directly to use the suberglobal arrays. When I started, though, I saw how big the class was. I'm wondering if anyone else has already done this, and wouldn't mind sharing their code? -- The above message is encrypted with double rot13 encoding. Any unauthorized attempt to decrypt it will be prosecuted to the full extent of the law. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Register_globals = off version of Manuel Lemos's form class?
On Wednesday 13 November 2002 23:57, Leif K-Brooks wrote:
I am planning to use Manuel Lemos's form class for a web site I am
working on. However, I need to have register_globals set to off. I was
planning to rewrite the portions of the class that access submitted form
values directly to use the suberglobal arrays. When I started, though,
I saw how big the class was. I'm wondering if anyone else has already
done this, and wouldn't mind sharing their code?
Here's what I use:
function InjectGlobalVars() {
$method = $this-METHOD;
switch (strtolower($method)) {
case post :
if (isset($_POST)) {
foreach ($this-inputs as $name = $value) {
if (isset($_POST[$name])) {
$GLOBALS[$name] = $_POST[$name];
}
}
}
break;
case get :
if (isset($_GET)) {
foreach ($this-inputs as $name = $value) {
if (isset($_GET[$name])) {
$GLOBALS[$name] = $_GET[$name];
}
}
}
break;
}
}
After I've defined all the form elements I just call the above function.
--
Jason Wong - Gremlins Associates - www.gremlins.biz
Open Source Software Systems Integrators
* Web Design Hosting * Internet Intranet Applications Development *
/*
My father, a good man, told me, Never lose your ignorance; you cannot
replace it.
-- Erich Maria Remarque
*/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Register_globals = off version of Manuel Lemos's form class?
Even if the method is post, you can have get variables, if the form has
action=script.php?get_var=value
Jason Wong wrote:
On Wednesday 13 November 2002 23:57, Leif K-Brooks wrote:
I am planning to use Manuel Lemos's form class for a web site I am
working on. However, I need to have register_globals set to off. I was
planning to rewrite the portions of the class that access submitted form
values directly to use the suberglobal arrays. When I started, though,
I saw how big the class was. I'm wondering if anyone else has already
done this, and wouldn't mind sharing their code?
Here's what I use:
function InjectGlobalVars() {
$method = $this-METHOD;
switch (strtolower($method)) {
case post :
if (isset($_POST)) {
foreach ($this-inputs as $name = $value) {
if (isset($_POST[$name])) {
$GLOBALS[$name] = $_POST[$name];
}
}
}
break;
case get :
if (isset($_GET)) {
foreach ($this-inputs as $name = $value) {
if (isset($_GET[$name])) {
$GLOBALS[$name] = $_GET[$name];
}
}
}
break;
}
}
After I've defined all the form elements I just call the above function.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Register_globals = off version of Manuel Lemos's form class?
On Thursday 14 November 2002 03:41, Marek Kilimajer wrote: Even if the method is post, you can have get variables, if the form has action=script.php?get_var=value Yes but I don't (need to) define my forms like that so I don't really care :-) -- Jason Wong - Gremlins Associates - www.gremlins.biz Open Source Software Systems Integrators * Web Design Hosting * Internet Intranet Applications Development * /* Great Moments in History: #3 August 27, 1949: A Hall of Fame opened to honor outstanding members of the Women's Air Corp. It was a WAC's Museum. */ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] register_globals off issues
I'm very new to PHP/mySQL and am working through the PHP and mySQL for
Dummies examples. Unfortunately, these were all written with
register_globals on and the system I'm using has register_globals off.
I'm having trouble converting the examples to use the $_POST() expression.
Specifically, the examples use a POST with a form variable to run a
query and then unset this variable as such:
if (@$form == yes)
{
unset($form);
}
I'm trying to convert this to use $_POST() as such:
if (@$_POST['form'] == yes)
{
unset($_POST['form']);
}
However, this does not work. It appears that you can't unset the
$_POST['form'] array element.
Does anyone have any suggestions on how to fix this?
I know I'm probably missing a few very obvious things here... but I am a
newbie.
/Mark
--
Mark H. Spohr
email: [EMAIL PROTECTED]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] register_globals off issues
At 21:05 12.11.2002, Mark Spohr said:
[snip]
I'm trying to convert this to use $_POST() as such:
if ($_POST['form'] == yes)
{
unset($_POST['form']);
}
However, this does not work. It appears that you can't unset the
$_POST['form'] array element.
[snip]
unset() works for any variable - also for the superglobals like $_POST.
Try this:
[cut here]
xmp
?php
print_r($_POST);
echo 'F1 = ', $_POST['f1'], \nF2 = , $_POST['f2'], \n;
unset($_POST['f2']);
print_r($_POST);
?
/xmp
form method=POST
input type=text name=f1 value=?php echo $_POST['f1'];?
br
input type=text name=f2 value=?php echo $_POST['f2'];?
br
input type=submit
/form
[/cut here]
What error do you get? Make sure you're using the correct case - PHP is
case sensitive in variable names and associative index keys...
--
O Ernest E. Vogelsinger
(\)ICQ #13394035
^ http://www.vogelsinger.at/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] register_globals = Off
Hi there
In my shop a had this code to add a product to the shoppingcart:
session_start();
session_register(cart);
if($action == addtocart)
{
$cart[] = $id,$amount;
}
To view the cart i had to explode the session_variable $cart and get
more data from the database.
session_start();
foreach($cart as $value)
{
$value = list($id, $amount) = explode(,, $value);
echo $id : $amount\n;
}
This workt perfect bevor i hat to reinstall my Computer.
Now i have php 4.2.2 and every time i want to add a product to the cart
it overwrites my session_variable.
So now i have only the newest variable in the session_variable.
I've tried it with $_REQUEST, $_SESSION, import_request_variables() but
none of them gives me my array back.
Can you help me ?
[PHP] register_globals off or on, why on
Hi, I'm working on a site where I'm using geeklog http://geeklog.sourceforge.net/ It has the requirement that Geeklog needs the register_globals variable turned on in order to work. Since PHP 4.2.0, the default for register_globals is off. To fix it, simply add the following line to your php.ini file Is this not *wrong*. It sounds to me like fake laziness. Nothing drives me bonkers more than trying to track down a variable that is inherited from who knows where. Perhaps I'm missing something. I've recently worked on a lot of PHP code written by others and it's a nightmare trying to track down where a variable is defined and where it's value might be changed. Perhaps there is some tool I can use to trace this. I dunno. Am I correct in my aversion to globals or I am I missing their true value and perhaps some tools I could use when working on apps that have more than 50 php files floating all over the place and no documentation. Peter --- Reality is that which, when you stop believing in it, doesn't go away. -- Philip K. Dick -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] register_globals off or on, why on
I'm working on a site where I'm using geeklog http://geeklog.sourceforge.net/ It has the requirement that Geeklog needs the register_globals variable turned on in order to work. Since PHP 4.2.0, the default for register_globals is off. To fix it, simply add the following line to your php.ini file Is this not *wrong*. It sounds to me like fake laziness. Nothing drives me bonkers more than trying to track down a variable that is inherited from who knows where. If you initialize all your local variables, there is nothing wrong with having register_globals on. Well-written apps run quite nicely and securely with them on. The reason to turn them off is to protect yourself from crappy code. -Rasmus -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] register_globals, the manual, and you.
The manual is up-to-date on this topic, for questions related to register_globals and form variables please feel free to point to: http://www.php.net/manual/en/language.variables.external.php Or the shortcut (all man pages work this way): http://www.php.net/variables.external In fact, it should answer most any register_globals related question. It also links to the manuals definition of this directive which has been updated too: http://www.php.net/manual/en/configuration.php#ini.register-globals These two manual pages _should_ explain it, even to newbies. They contain examples and various links. Regards, Philip Olson -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] register_globals flag in some directories
I am sorry if this is asked before, but I have apache 2.0.36 with php 4.2.1 in the php.ini file register_globals is set off, but i want to turn it on in some directories I tried to create .htaccess file in that directory and put in it php_flag register_globals on but its not working, so did i do anything wrong or should I do anything else ? Thanks for your help -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] register_globals flag in some directories
Ahmed. If you changed the AllowOverride setting in httpd.conf, you will need to restart apache. I tried what I suggested here (on a RedHat 7.3 system) so I know its OK. In httpd.conf there can be many instances of AllowOverride, one per directory. Are you sure you changed the right one? Just a thought. Regards Chris Ahmed Farouk wrote: Chris, Thanks for your response, but I already tried that but still not working! is there anything I should do let apache recognize that there is .htaccess ? permissions for example - Original Message - From: Chris Hewitt [EMAIL PROTECTED] To: Ahmed Abdalla [EMAIL PROTECTED] Sent: Tuesday, June 11, 2002 9:06 PM Subject: Re: [PHP] register_globals flag in some directories Ahmed, The /etc/httpd/conf/httpd.conf file might not allow .htaccess to override the setting. I've just tried this here and if I have AllowOverride All then I can change register_globals in a .htaccess file exactly as you have specified. If I have AllowOverride None then I can't. I don't know which override allowance is needed for php. I haven't found it in the manual (but then I might not have looked hard enough). Hope this helps. Chris Ahmed Abdalla wrote: I am sorry if this is asked before, but I have apache 2.0.36 with php 4.2.1 in the php.ini file register_globals is set off, but i want to turn it on in some directories I tried to create .htaccess file in that directory and put in it php_flag register_globals on but its not working, so did i do anything wrong or should I do anything else ? Thanks for your help -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] register_globals in php4
-Original Message-
From: Kevin Stone [mailto:[EMAIL PROTECTED]]
Sent: 09 May 2002 23:09
Hmm. No offense ..., but I don't believe turning
Registered Globals off
will have any effect on security. Turning Registered Globals off just
provides a more strict environment for coding. Example..
If the url were http://www.dom.com/index.php?password=xuUaB67sf
?
if (isset($_GET['password'])) // Registered globals off.
{
$password = $_GET['password'];
echo $password;
}
?
.. is no more or less secure than..
?
if (isset($password)) // Registered globals on.
{
echo $password;
}
?
No, but this:
if (isset($password)): // register_globals on
$super_user = $password==$super_password;
endif;
if ($super_user):
// sensitive admin stuff
endif;
is more secure than:
if (isset($_GET['password'])): // register_globals off
$super_user = $_GET['password']==$super_password;
endif;
if ($super_user):
// sensitive admin stuff
endif;
(OK, you or I wouldn't code like that, but a Web hoster may want the reassurance of
being able to protect naive customers from this kind of mistake.)
Also, by using the $_POST, $_GET arrays, you know exactly where the input is coming
from (even if register_globals is also on!). If you have register_globals set to on,
and you just look to see if (say) $password has a value, which you're expecting to
come from a form field, you can't actually tell whether it's been overridden by some
smarty-pants typing in the URL with ?password=super_password on the end. If you check
specifically for $_POST['password'], you at least have the assurance that it's come
from a form field as you were expecting.
Granted, register_globals and using the $_* arrays is not the complete solution, but
it does add a small extra layer of assurance.
Cheers!
Mike
-
Mike Ford, Electronic Information Services Adviser,
Learning Support Services, Learning Information Services,
JG125, James Graham Building, Leeds Metropolitan University,
Beckett Park, LEEDS, LS6 3QS, United Kingdom
Email: [EMAIL PROTECTED]
Tel: +44 113 283 2600 extn 4730 Fax: +44 113 283 3211
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] register_globals in php4
At 14:16 10/05/2002, Ford, Mike [LSS] wrote: No, but this: if (isset($password)): // register_globals on $super_user = $password==$super_password; endif; if ($super_user): // sensitive admin stuff endif; is more secure than: if (isset($_GET['password'])): // register_globals off $super_user = $_GET['password']==$super_password; endif; if ($super_user): // sensitive admin stuff endif; You meant it the other way around, didn't you? :) Also, by using the $_POST, $_GET arrays, you know exactly where the input is coming from (even if register_globals is also on!). If you have register_globals set to on, and you just look to see if (say) $password has a value, which you're expecting to come from a form field, you can't actually tell whether it's been overridden by some smarty-pants typing in the URL with ?password=super_password on the end. If you check specifically for $_POST['password'], you at least have the assurance that it's come from a form field as you were expecting. There's a bit of a misperception about the security that register_globals=off buys you. Basically, anything coming from the user cannot be trusted, and that includes post variables in $_POST[] (I could write my own form and send whatever variables I want to your form handler). So, generally, anything in $_GET, $_POST and $_COOKIE (or $_REQUEST, in general) cannot be trusted, and should be treated as 'possibly hostile'. The new $_ENV variable, however, can be trusted, as it cannot be poisoned by the remote user, and also, most of the information in $_SERVER can be trusted, because it's coming from the web server. What does register_globals buy you? Two simple things: (a) A clean global scope, which cannot be poisoned by the remote user, as your example illustrated (only backwards). (b) Reliable $_ENV and $_SERVER arrays, and the knowledge that they cannot be poisoned by get/post/cookie data coming from the user. Zeev -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] register_globals in php4
-Original Message- From: Zeev Suraski [mailto:[EMAIL PROTECTED]] Sent: 10 May 2002 12:36 You meant it the other way around, didn't you? :) Er, yes! ;) (I cut-and-pasted one example to create the other, and then changed the wrong on to off!!) Cheers! Mike - Mike Ford, Electronic Information Services Adviser, Learning Support Services, Learning Information Services, JG125, James Graham Building, Leeds Metropolitan University, Beckett Park, LEEDS, LS6 3QS, United Kingdom Email: [EMAIL PROTECTED] Tel: +44 113 283 2600 extn 4730 Fax: +44 113 283 3211 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] register_globals in php4
-Original Message- From: Ford, Mike [LSS] [mailto:[EMAIL PROTECTED]] Sent: 10 May 2002 12:54 To: 'Zeev Suraski' Cc: [EMAIL PROTECTED] Subject: RE: [PHP] register_globals in php4 -Original Message- From: Zeev Suraski [mailto:[EMAIL PROTECTED]] Sent: 10 May 2002 12:36 You meant it the other way around, didn't you? :) Er, yes! ;) (I cut-and-pasted one example to create the other, and then changed the wrong on to off!!) Oh, no! That's not what you meant! (It must be Friday afternoon!! :) I should have said less secure rather than more secure. Am I right this time? Damn. (It must be Friday afternoon!! :) Cheers! Mike - Mike Ford, Electronic Information Services Adviser, Learning Support Services, Learning Information Services, JG125, James Graham Building, Leeds Metropolitan University, Beckett Park, LEEDS, LS6 3QS, United Kingdom Email: [EMAIL PROTECTED] Tel: +44 113 283 2600 extn 4730 Fax: +44 113 283 3211 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] register_globals in php4
At 15:13 10/05/2002, Ford, Mike [LSS] wrote: I should have said less secure rather than more secure. Am I right this time? Yep :) Zeev -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] register_globals in php4
On Fri, 10 May 2002, Ford, Mike [LSS] wrote: Also, by using the $_POST, $_GET arrays, you know exactly where the input is coming from (even if register_globals is also on!). If you have register_globals set to on, and you just look to see if (say) $password has a value, which you're expecting to come from a form field, you can't actually tell whether it's been overridden by some smarty-pants typing in the URL with ?password=super_password on the end. If you check specifically for $_POST['password'], you at least have the assurance that it's come from a form field as you were expecting. This is a very false sense of security. Anyone with cURL (or even telnet) can trivially fake any POST or cookie inputs they want to. miguel -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] register_globals in php4
Mike, Both of your bit of code are not equal. On my ISP in 4.0.6 isset returned false if the variable was not existing OR empty in 4.2 isset returns true if the variable exists but is empty, so you may want to check with empty instead of isset Luc At 12:16 10/05/2002 +0100, Ford, Mike [LSS] wrote: -Original Message- if (isset($password)): // register_globals on $super_user = $password==$super_password; endif; if ($super_user): // sensitive admin stuff endif; is more secure than: if (isset($_GET['password'])): // register_globals off $super_user = $_GET['password']==$super_password; endif; if ($super_user): // sensitive admin stuff endif; -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] register_globals in php4
Hello list, php4.1 recommends to set register_globals=off in php.ini to make php more strict. My question is, if I turn off register_globals, what will happen if any malicious user just try to modify the variable values in the url? Say, http://www.domain.com/xxx.php?id=3sex=female Does it work if user just change the value in the URL directly and send the url directly to web server? How can we avoid the malicious attack by directly http GET/POST with modified parameter values to make possible system error or compromise? -- Patrick Hsieh [EMAIL PROTECTED] GPG public key http://pahud.net/pubkeys/pahudatpahud.gpg -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] register_globals in php4
On Fri, 10 May 2002, Patrick Hsieh wrote: php4.1 recommends to set register_globals=off in php.ini to make php more strict. My question is, if I turn off register_globals, what will happen if any malicious user just try to modify the variable values in the url? Say, http://www.domain.com/xxx.php?id=3sex=female Does it work if user just change the value in the URL directly and send the url directly to web server? How can we avoid the malicious attack by directly http GET/POST with modified parameter values to make possible system error or compromise? If register_globals is off, then you'll get $_GET['id'] = 3 and $_GET['sex'] = female. It's then up to you to make sure those are okay. But at least $id and $sex won't get set until you explicitly set them in your code. miguel -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] register_globals in php4
- Original Message - From: Patrick Hsieh [EMAIL PROTECTED] Hello list, php4.1 recommends to set register_globals=off in php.ini to make php more strict. My question is, if I turn off register_globals, what will happen if any malicious user just try to modify the variable values in the url? Say, The variables will get passed just like normal. You have no way of telling if the values actually came from a form or if the user manipulated the data. This goes for GET, POST, and COOKIE data. How can we avoid the malicious attack by directly http GET/POST with modified parameter values to make possible system error or compromise? You can't stop it. The user can send anything to your site. It's up to you to validate the data and make sure it's what it's supposed to be. At least with register_globals = off, when you use $_GET[var], you know it's coming from the URL (or a GET form). Same thing with _POST, _SESSION, and _COOKIE, etc. You know where the data should be coming from. You still have to validate it. W/o register globals, you just use $var and have no idea where it's coming from. You may think it's coming from a posted form, but the user actually passed it in the url. Or, you use $var2, not expecting it to come from the user at all, but the user passes it in the URL and it overwrites $var2. register_globals isn't always bad. It just allows for more errors and holes with it on if you're not careful. ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] register_globals in php4
- Original Message -
From: Miguel Cruz [EMAIL PROTECTED]
To: Patrick Hsieh [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Thursday, May 09, 2002 11:52 AM
Subject: Re: [PHP] register_globals in php4
On Fri, 10 May 2002, Patrick Hsieh wrote:
php4.1 recommends to set register_globals=off in php.ini to make php
more strict. My question is, if I turn off register_globals, what will
happen if any malicious user just try to modify the variable values in
the url? Say,
http://www.domain.com/xxx.php?id=3sex=female
Does it work if user just change the value in the URL directly and send
the url directly to web server?
How can we avoid the malicious attack by directly http GET/POST with
modified parameter values to make possible system error or compromise?
If register_globals is off, then you'll get $_GET['id'] = 3 and
$_GET['sex'] = female. It's then up to you to make sure those are okay.
But at least $id and $sex won't get set until you explicitly set them in
your code.
miguel
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Hmm. No offense Miguel, but I don't believe turning Registered Globals off
will have any effect on security. Turning Registered Globals off just
provides a more strict environment for coding. Example..
If the url were http://www.dom.com/index.php?password=xuUaB67sf
?
if (isset($_GET['password'])) // Registered globals off.
{
$password = $_GET['password'];
echo $password;
}
?
.. is no more or less secure than..
?
if (isset($password)) // Registered globals on.
{
echo $password;
}
?
How can we avoid the malicious attack by directly http GET/POST with
modified parameter values to make possible system error or compromise?
Security in this regard has everything to do with ensuring that the input
you're recieving is what you expect. Some good tips would be to define
maximum string lengths, check for legal variable types, and look for invalid
characters. If something doesn't look right then you simply don't allow the
request to proceed. Example..
?
function validate($str)
{
$max_len = 15;
$str_len = strlen($str);
if ($str_len $max_len)
return FALSE;
elseif (gettype($str) != string)
return FALSE;
elseif (eregi(/whatever you think might be invalid/, $str));
return FALSE;
else
return TRUE;
}
if (validate($password))
{
echo $password;
}
else
{
echo INVALID INPUT;
exit;
}
?
Generally speaking this will be more than adequate. But if you want to get
serious then you can record a timestamp and IP/domain for every transaction
on your website then auto-block any user spamming your system. For example,
if someone is trying out passwords over and over again, after 3 consecutive
tries your system could block the transaction and print out a warning.
After 3 batches of 3 consecutive tries the system could block the user and
email you a notice. But becuase this user information can be faked the most
sophisticated systems.. the ones that corporations install behind their
firewalls and cost $20,000 for the installation alone, actually record and
analyze patterns of behavior using neural net software.
-Kevin
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] register_globals in php4
On Thu, 9 May 2002, Kevin Stone wrote: If register_globals is off, then you'll get $_GET['id'] = 3 and $_GET['sex'] = female. It's then up to you to make sure those are okay. But at least $id and $sex won't get set until you explicitly set them in your code. Hmm. No offense Miguel, but I don't believe turning Registered Globals off will have any effect on security. If all programmers were perfect, very few security mechanisms would be necessary. But they aren't, so things like this just make it a little bit easier to create secure software. miguel -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] register_globals=Off Question
How do I use $PHP_SELF with register_globals off? I looked up the documentation on php.net but haven't gotten this line of code to work: form name=form5 method=post action='?php echo($_SERVER[PHP_SELF]; ?' I get this error instead: [28-Apr-2002 16:33:31] PHP Parse error: parse error, expecting `T_STRING' or `T_VARIABLE' or `T_NUM_STRING' in - on line 140 what am I doing wrong? thanks, Kirk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] register_globals=Off Question
You are missing an ending quote to begin with. Either add it in and use
braces, or remove the quotes.
action = '?=$_SERVER[PHP_SELF]?'
or...
action = '? echo $_SERVER[PHP_SELF]; ?'
or...
action = '? echo {$_SERVER['PHP_SELF']}; ?'
Adapt to your needs...
---John Holmes...
-Original Message-
From: Kirk Babb [mailto:[EMAIL PROTECTED]]
Sent: Sunday, April 28, 2002 3:58 PM
To: [EMAIL PROTECTED]
Subject: [PHP] register_globals=Off Question
How do I use $PHP_SELF with register_globals off? I looked up the
documentation on php.net but haven't gotten this line of code to work:
form name=form5 method=post action='?php
echo($_SERVER[PHP_SELF];
?'
I get this error instead:
[28-Apr-2002 16:33:31] PHP Parse error: parse error, expecting
`T_STRING'
or `T_VARIABLE' or `T_NUM_STRING' in - on line 140
what am I doing wrong? thanks,
Kirk
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] register_globals=Off Question
On Sun, 28 Apr 2002, Kirk Babb wrote: How do I use $PHP_SELF with register_globals off? I looked up the documentation on php.net but haven't gotten this line of code to work: form name=form5 method=post action='?php echo($_SERVER[PHP_SELF]; ?' action='?= $_SERVER['PHP_SELF'] ?' miguel -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] register_globals=Off Question
Looks like you forgot your ticks ' around the PHP_SELF. If I am correct, it should be $_SERVER['PHP_SELF']. Either way, you might want to try this. Somebody else posted it before and I have been using it so that no matter what version of PHP my program runs on, it should work. if (isset($_SERVER)) $PHP_SELF = $_SERVER['PHP_SELF']; Steve At 05:58 PM 4/28/2002, Kirk Babb wrote: How do I use $PHP_SELF with register_globals off? I looked up the documentation on php.net but haven't gotten this line of code to work: form name=form5 method=post action='?php echo($_SERVER[PHP_SELF]; ?' I get this error instead: [28-Apr-2002 16:33:31] PHP Parse error: parse error, expecting `T_STRING' or `T_VARIABLE' or `T_NUM_STRING' in - on line 140 what am I doing wrong? thanks, Kirk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] register_globals
Hello,
in php 4.0.6 on the begin of the script include file called config.php.
In config file i have ini_set('register_globals', 'off');
i setup session via session_register('variable') and redirect to
another page, where i include the same config (config.php) and call
session_start(); but when i make print_r($HTTP_SESSION_VARS); array is
empty. When i disable line with ini_set in config file all is ok.
It's bug ?
I must using two versions of PHP 4.0.6 and 4.1.2. On 4.1.2 is
everything OK but on 4.0.6 not. So where is problem ? In myself or
between keyboard and chair (that's myself too :))
Regards
Michal Dvoracek [EMAIL PROTECTED]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] register_globals
On Sunday, March 31, 2002, at 04:05 AM, Liam wrote: at the moment I have register_globals set to on Is there any reason I should turn it off? What are the security risks of having them on? I once asked this exact question, and here is the response I got -- I found it very helpful: Give this a read first, then come back if you still have questions ;) http://www.securereality.com.au/studyinscarlet.txt Kirk Erik Erik Price Web Developer Temp Media Lab, H.H. Brown [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
