Re: [PHP-DB] converting scripts for register_globals=Off
Since I have a thing for using one file for all things in i.e. an admin script, I use POST and GET variables at the same time. Getting them mixed up is extremely hazardous.. I do stuff like: a href=admin.php?action=deleteid=2Delete post/a which leads to the section of the admin script; ?php if ($_GET['action'] == delete $_GET['id']) { // lots of PHP doing lots of stuff } else { // the link } ? Now, if there's a POST variable named ID containing an INT matching the database, and I use $_REQUEST instead of $_GET, I'm in trouble! Mike On Apr 29, 2004, at 11:00, Ignatius Reilly wrote: even better: $_REQUEST['variable_name'] so that you don't have to bother checking both depending on whether your form was GETted or POSTed. _ - Original Message - From: Mikael Grön [EMAIL PROTECTED] To: Kim Jacobs (Crooks) - Mweb [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Thursday, April 29, 2004 11:54 AM Subject: Re: [PHP-DB] converting scripts for register_globals=Off What register_globals does (Please correct me if I'm wrong) is convert i.e. $_POST['variable_name'], $_GET['variable_name'] and so on to $variable_name. which isn't very good from my point of view. I suggest you make sure you use $_GET['your_variable'] when ever you're fetching a GET variable, $_POST['var'] for all post variables and so on, instead of what you're doing now. This works just fine with register_globals = On as well, so I always use it... to be safe.. Mike On Apr 29, 2004, at 10:40, Kim Jacobs (Crooks) - Mweb wrote: if any of you could help me out, I would greatly appreciate it... I am an absolute beginner to php (2 weeks now) and dont know what I dont know... I have written some scripts to access my online SQL db and I've tested the scripts on my machine with PHP 4.3.6 and register_globals = On Now where I host my site, uses PHP 4.3.5 and has register_globals = Off which means of course, that my scripts arent working, but I dont know why My question is, how do I convert my scripts so that they will work please? I know that $id and $submit are two of the 'inputs' that it doesnt like, but I dont know the rest Tx K MWEB: S.A.'s most trusted and reliable Internet Service Provider. Just Like That. To join, go to: http://join.mweb.co.za or call 0860032000. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] converting scripts for register_globals=Off
If your form is well designed, there should NOT be another POST variable named ID or id used for a different purpose. Your form data validation routine will examine the 2-uple ( action, id), not id alone. therefore no problem. In many cases I find it convenient to design a page so that it can be called indifferently by POST or GET. Just my 2 Belgian francs. Ignatius _ - Original Message - From: Mikael Grön [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, April 29, 2004 12:42 PM Subject: Re: [PHP-DB] converting scripts for register_globals=Off Since I have a thing for using one file for all things in i.e. an admin script, I use POST and GET variables at the same time. Getting them mixed up is extremely hazardous.. I do stuff like: a href=admin.php?action=deleteid=2Delete post/a which leads to the section of the admin script; ?php if ($_GET['action'] == delete $_GET['id']) { // lots of PHP doing lots of stuff } else { // the link } ? Now, if there's a POST variable named ID containing an INT matching the database, and I use $_REQUEST instead of $_GET, I'm in trouble! Mike On Apr 29, 2004, at 11:00, Ignatius Reilly wrote: even better: $_REQUEST['variable_name'] so that you don't have to bother checking both depending on whether your form was GETted or POSTed. _ - Original Message - From: Mikael Grön [EMAIL PROTECTED] To: Kim Jacobs (Crooks) - Mweb [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Thursday, April 29, 2004 11:54 AM Subject: Re: [PHP-DB] converting scripts for register_globals=Off What register_globals does (Please correct me if I'm wrong) is convert i.e. $_POST['variable_name'], $_GET['variable_name'] and so on to $variable_name. which isn't very good from my point of view. I suggest you make sure you use $_GET['your_variable'] when ever you're fetching a GET variable, $_POST['var'] for all post variables and so on, instead of what you're doing now. This works just fine with register_globals = On as well, so I always use it... to be safe.. Mike On Apr 29, 2004, at 10:40, Kim Jacobs (Crooks) - Mweb wrote: if any of you could help me out, I would greatly appreciate it... I am an absolute beginner to php (2 weeks now) and dont know what I dont know... I have written some scripts to access my online SQL db and I've tested the scripts on my machine with PHP 4.3.6 and register_globals = On Now where I host my site, uses PHP 4.3.5 and has register_globals = Off which means of course, that my scripts arent working, but I dont know why My question is, how do I convert my scripts so that they will work please? I know that $id and $submit are two of the 'inputs' that it doesnt like, but I dont know the rest Tx K MWEB: S.A.'s most trusted and reliable Internet Service Provider. Just Like That. To join, go to: http://join.mweb.co.za or call 0860032000. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] converting scripts for register_globals=Off
From: Kim Jacobs (Crooks) - Mweb [EMAIL PROTECTED] I have written some scripts to access my online SQL db and I've tested the scripts on my machine with PHP 4.3.6 and register_globals = On Now where I host my site, uses PHP 4.3.5 and has register_globals = Off which means of course, that my scripts arent working, but I dont know why My question is, how do I convert my scripts so that they will work please? I know that $id and $submit are two of the 'inputs' that it doesnt like, but I dont know the rest If your program is well written, you can get away with just switching $id for $_REQUEST['id']. This is assuming you already properly validate and sanitize all of the data coming from the user. Using $_REQUEST['id'] doesn't make anything more or less secure, it's a matter of what you're doing with the data coming from the user. ---John Holmes... -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] converting scripts for register_globals=Off
If you have already have a number of scripts and, especially, if you are doing things with the variables inside the script (in other words, the variables appear more than once), it can be more convenient to convert at the top of each page, eg: $id = $_REQUEST['id']; $this = $_REQUEST['this']; $that = $_SERVER['that']; etc... Jeffrey Baumgartner Date sent: Thu, 29 Apr 2004 11:40:14 +0200 From: Kim Jacobs (Crooks) - Mweb [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject:[PHP-DB] converting scripts for register_globals=Off if any of you could help me out, I would greatly appreciate it... I am an absolute beginner to php (2 weeks now) and dont know what I dont know... I have written some scripts to access my online SQL db and I've tested the scripts on my machine with PHP 4.3.6 and register_globals = On Now where I host my site, uses PHP 4.3.5 and has register_globals = Off which means of course, that my scripts arent working, but I dont know why My question is, how do I convert my scripts so that they will work please? I know that $id and $submit are two of the 'inputs' that it doesnt like, but I dont know the rest Tx K MWEB: S.A.'s most trusted and reliable Internet Service Provider. Just Like That. To join, go to: http://join.mweb.co.za or call 0860032000. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php