Re: [PHP] upgrade 4.1.2 to 4.2.2 (passing vars problem with 4.2.2)
Upgrade and turn on register_globals in php.ini. ---John Holmes... - Original Message - From: Kristopher Yates [EMAIL PROTECTED] To: php-general [EMAIL PROTECTED] Sent: Monday, July 22, 2002 3:51 PM Subject: [PHP] upgrade 4.1.2 to 4.2.2 (passing vars problem with 4.2.2) Hi, I have been running 4.1.2 for a while with no problems. This morning, I downloaded 4.2.2, did a configure/make/make install. All seemed to have gone well. However, it broke all my sites that use PHP. Here is a description of how it appeared to be broken. This is just an example, as I dont really own fakename.com. User goes to http://www.fakename.com/index.php User clicks on help and gets the main index page instead of the help page. The URL for help is.. http://www.fakename.com/index.php?target=help It is like PHP gets passed variables and forgets them immediately. What do I need to do? I reinstalled 4.1.2 and things are working again. Naturally, I would like to safely upgrade to 4.2.2. Thanks in advance for any help out there. I am at a loss for ideas on solving this myself. Kris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] upgrade 4.1.2 to 4.2.2 (passing vars problem with 4.2.2)
You *did* read the notice that came up at the end of your 'configure' run, right? (Specifically the part that said *** NOTE *** The default for register_globals is now off. If your application relies on register_globals being ON, you should explicitly set it to on in your php.ini file. Note that you are strongly encouraged to read http://www.php.net/manual/en/security.registerglobals.php about the implications of having register_globals set to on, and avoid using it if possible.) For more info, see the above link, or the External Variables section of the 4.2.1 release notes at http://www.php.net/release_4_2_1.php, or the manual section on predefined variables at http://www.php.net/manual/en/language.variables.predefined.php --- Mark Roedel | Blessed is he who has learned to laugh Systems Programmer| at himself, for he shall never cease LeTourneau University | to be entertained. Longview, Texas, USA | -- John Powell -Original Message- From: Kristopher Yates [mailto:[EMAIL PROTECTED]] Sent: Monday, July 22, 2002 2:52 PM To: php-general Subject: [PHP] upgrade 4.1.2 to 4.2.2 (passing vars problem with 4.2.2) I have been running 4.1.2 for a while with no problems. This morning, I downloaded 4.2.2, did a configure/make/make install. All seemed to have gone well. However, it broke all my sites that use PHP. Here is a description of how it appeared to be broken. This is just an example, as I dont really own fakename.com. [snip] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] upgrade 4.1.2 to 4.2.2 (passing vars problem with 4.2.2)
I notice the INSTALL file in 4.2.2 mentions that people should write their scripts to work with this [register_globals] turned off. Based on what I've mentioned below, what can I do to conform to this statement made by the PHP authors? From what I know about programming, I am setting globals where appropriate already.. but apparently I am incorrect, since upgrading to 4.2.2 broke all my stuff unless I turn [register_globals] on. Any suggestions? Thanks for your reply, Kris 1LT John W. Holmes wrote: Upgrade and turn on register_globals in php.ini. ---John Holmes... - Original Message - From: Kristopher Yates [EMAIL PROTECTED] To: php-general [EMAIL PROTECTED] Sent: Monday, July 22, 2002 3:51 PM Subject: [PHP] upgrade 4.1.2 to 4.2.2 (passing vars problem with 4.2.2) Hi, I have been running 4.1.2 for a while with no problems. This morning, I downloaded 4.2.2, did a configure/make/make install. All seemed to have gone well. However, it broke all my sites that use PHP. Here is a description of how it appeared to be broken. This is just an example, as I dont really own fakename.com. User goes to http://www.fakename.com/index.php User clicks on help and gets the main index page instead of the help page. The URL for help is.. http://www.fakename.com/index.php?target=help It is like PHP gets passed variables and forgets them immediately. What do I need to do? I reinstalled 4.1.2 and things are working again. Naturally, I would like to safely upgrade to 4.2.2. Thanks in advance for any help out there. I am at a loss for ideas on solving this myself. Kris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] upgrade 4.1.2 to 4.2.2 (passing vars problem with 4.2.2)
I notice the INSTALL file in 4.2.2 mentions that people should write their scripts to work with this [register_globals] turned off. Based on what I've mentioned below, what can I do to conform to this statement made by the PHP authors? From what I know about programming, I am setting globals where appropriate already.. but apparently I am incorrect, since upgrading to 4.2.2 broke all my stuff unless I turn [register_globals] on. Any suggestions? Keeping register_globals OFF simply gives you the opportunity to make less mistakes in your code. When you have a link like http://www.example.com/page.php?ID=1, reg_globals ON will create a variable $ID that you can use in your script. The problem is, you don't know if it came from the URL, a POSTed form, a COOKIE, or what. The second problem is that if I use the variable $blah somewhere in my script, a malicious user could pass a value of $blah through the URL, POST, or COOKIE, and create problems in my code. With reg_globals OFF, you have to access the variables in the $_GET, $_POST, $_COOKIE, etc, arrays. $_GET['ID'] for the example above, tells you for sure that the value came from the URL. Also, if I make a variable $blah somewhere in my script, I know that the user can't affect it's value at all, even by passing ?blah=foo in the URL. So basically you should begin using the superglobal arrays $_GET, $_POST, $_COOKIE, $_ENV, $_SERVER, and $_SESSION in your scripts... HTH! ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] upgrade 4.1.2 to 4.2.2 (passing vars problem with 4.2.2)
If you need register globals on for your old stuff, but want to write better new code, you can just use ?php ini_set(register_globals, 0); ? in your new stuff. If you are trying to turn register_globals off for the whole system, make sure you're changing the right php.ini. phpinfo(); will give you the location where PHP looks for your php.ini. If you run the command line version (command line and apache module), just run $ php -r 'phpinfo();' | grep 'php.ini' from the command line -Evan -- What you cannot enforce, do not command. Sophocles -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] upgrade 4.1.2 to 4.2.2 (passing vars problem with 4.2.2)
Evan Nemerson wrote: If you need register globals on for your old stuff, but want to write better new code, you can just use ?php ini_set(register_globals, 0); ? in your new stuff. You can't do this in a php file... by the time it gets to this line, it's too late. According to the set_ini function on php.net, register_globals is only set-able in the ini file or in .htaccess. P. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
