RE: [PHP] Empty $_SESSION and $_POST ??
Have you tried doing phpinfo() and seeing what values are coming up? -Original Message- From: Andre Dubuc [mailto:[EMAIL PROTECTED]] Sent: April 22, 2002 5:59 PM To: Erik Price Cc: [EMAIL PROTECTED] Subject: Re: [PHP] Empty $_SESSION and $_POST ?? On Monday 22 April 2002 05:34 pm, you wrote: On Monday, April 22, 2002, at 03:47 PM, Andre Dubuc wrote: I tried what you suggested, and indeed globals are off. Perhaps my problem stems from my use of the $_GET[] with $vars. I guess I don't really understand what I'm doing. If you would take a peek at this code [I think I've introduced a security hole, and I'm mixing up things]: I think the problem you're having is basically understanding what register_globals does, and why some people might want to turn it off. register_globals takes a variable (doesn't matter if it's a server variable, a cookie variable, a post variable, or a get variable) and registers it as global throughout the script. This means that if someone types http://www.domain.com/index.php?firstname=andrelastname=dubuc into the Address bar of her browser, she has just requested the index.php resource from the server at www.domain.com using the HTTP protocol and sent two variables to the server using the GET method: $firstname = 'andre' $lastname = 'dubuc' If you have register_globals turned on, then your script can look like this: if ($firstname == 'andre' $lastname == 'dubuc') { // do something } and it still works. However, if you have register_globals turned off, then the above 'if test' won't work. This is because these variables are not $firstname and $lastname, they are $_GET['firstname'] and $_GET['lastname']. To do an 'if test' with register_globals off, you should do: if ($_GET['firstname'] == 'andre' $_GET['lastname'] == 'dubuc') { // do something } There's really not much of a difference. The thing is that instead of being a global variable, the data that you passed is now an element of the $_GET array. So you use the standard element notation, using the associative index of the variable name. If you do this: $firstname = $_GET['firstname']; $lastname = $_GET['lastname']; ...you make your code simpler to understand, but be careful that you don't do something in the same script like $lastname = $row['last_name']; (which could happen if you were trying to simplify your MySQL result data.) I'll take a look at what you've got On page 1: ?php session_start(); ob_start(); ? // ob_start(); so I can have html headers on this page redirect later // some other code form action=page2.php method=get ?php // The following line is where I think I've caused myself grief. input type=text size=20 name=bozo input type=submit name=submit value=Agree ? Yeah, I'd say you've caused yourself some grief. This isn't even related to register_globals -- you've got two HTML input tags in the middle of your PHP block. You need to print() or echo these, not just type them in directly. print(input type='text' size='20' name='bozo' /); print(input type='submit' name='submit' value='Agree'); $bozo = $_GET['bozo']; /* Now is this correct? Am I exposing 'bozo' to a security hole? For the rest of the script, with each $_GET['var'] from the previous page I do the same. Somehow, I don't think I've grasped what to do with $vars. From my reading elsewhere, should I, for example, in page 1 use something like input type=text size=20 name=?php echo $_SESSION['bozo'] ? I prefer to do it the way that you have read elsewhere, but it really doesn't matter. Either way, you have a variable in your script that points to some user-specified data. What you've done is simplified the results, similar to what some people do when they pull data out of a result set with mysql_fetch_array(). The only security hole is if you have written your script to do something unsafe with the $bozo variable. HOWEVER... bear in mind that now that you are referring to this variable in this fashion, you could end up inadvertently overwriting this variable with a new variable, by doing something like $bozo = $row['bozo']; -- something that is far less likely to occur when referring to it as $_GET['bozo']. It really depends on how organized your code is. If I were you, I would probably get into the habit of calling it $_GET['bozo'], since that just saves you time and stress in the long run. The only security hole would be this: $_SESSION['admin'] = 'yes'; // indicates that user is an administrator $admin = $_SESSION['admin']; // simplify our variable name if ($admin == 'yes') { // if user is an administrator // display some sensitive data } // for some stupid reason we do this $admin = $_GET['admin']; // obviously you wouldn't do something like this if ($admin == 'yes') { // display some sensitive data } Essentially, in the above code, you've
Re: [PHP] Empty $_SESSION and $_POST ??
On Mon, 22 Apr 2002, Andre Dubuc wrote: would be OK. It seems it's the ONLY way my script will allow the array to be put into the database (PostgreSQL). If I type into the INSERT command $bozo, $next_var, $next_next_var // it works $_GET['bozo'], $_GET['next_var'], etc // I get T_Variable undefined ** The problem here is that $_SESSION['anything'] or $_GET['anything'] doesn't work. It refuses to print or pass anything. Why? I can't figure that out? I've tried a simple test, and yes the globals are off. But using the $bozo = $_GET['bozo']; approach, at least it writes to the database, but I cannot access the arrays at all??? And, I HAVE to write these for ALL the variables, else it doesn't get passed to the db. Sigh. So where am I messing up? Once again, just do {$_SESSION['anything']} with the {curly braces} around it, if the array dereference is anywhere inside double quotes. miguel -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Empty $_SESSION and $_POST ??
On Wednesday 24 April 2002 09:18 am, you wrote: Have you tried doing phpinfo() and seeing what values are coming up? I finally got everything working, thanks to Erik Price's excellent help and for all the others who offered their suggestions. Thanks for your suggestion! Regards, Andre -- Please pray the Holy Rosary to end the holocaust of abortion. Remember in your prayers the Holy Souls in Purgatory. May God bless you abundantly in His love! For a free Cenacle Scriptural Rosary Booklet: http://www.webhart.net/csrb/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Empty $_SESSION and $_POST ??
First thing I should say is, you only need to quote the relevant part of an email -- that way, everyone knows exactly what to read (rather than pages of old email threads) to answer the question. But don't worry about it. Now, on to your situation -- That clears up a lot. I sort of thought doing: $bozo = $_GET['bozo']; would be OK. It seems it's the ONLY way my script will allow the array to be put into the database (PostgreSQL). If I type into the INSERT command $bozo, $next_var, $next_next_var // it works $_GET['bozo'], $_GET['next_var'], etc // I get T_Variable undefined Well, it would be most helpful to see your actual INSERT statement, but I'm going to take a guess at what you're doing. You're probably doing it like this: $sql = INSERT INTO table (row1, row2, row3) VALUES ($_GET['bozo'], $_GET['dodo'], $_GET['next_var']); And this is why you're having a problem. As cool as the superglobals are, their biggest inconvenience is that you can't use them inside of quoted strings like you can with the more simple variable names. In other words, you used to be able to do $sql = INSERT INTO table (row1, row2, row3) VALUES ($bozo, $dodo, $next_var); And the variable names would automatically expand to their values inside the string. With superglobals, you need to actually break out of the string by using the dot to append variable names. So if you don't want to assign all of your superglobals to simpler $variablenames, you can do it this way: $sql = INSERT INTO table (row1, row2, row3) VALUES ( . $_GET['bozo'] . , . $_GET['dodo'] . , . $_GET['next_var']; Here, what I've done is created a string that is broken into separate concatenated bits with the dot (concatenation) operator. If you have a syntax-coloring text editor, it will be a BIG help because it will colorize the strings so that you can get a better feel for what you're doing. I strongly recommend that you get a hold of one, from what I understand there are free ones for Windows and I'm pretty sure that emacs and vim on Unix can do it. Another way to do it is to use the braces to single out your variable name, here is the same example done in this way: $sql = INSERT INTO table (row1, row2, row3) VALUES ({$_GET['bozo']}, {$_GET['dodo']}, {$_GET['next_var']}); By doing this you don't have to break out of the string and concatenate. I prefer to do the concatenation, but it's really a matter of choice -- you could even use sprintf() to do the same thing: $sql = sprintf(INSERT INTO table (row1, row2, row3) VALUES (%s, %s, %s), $_GET['bozo'], $_GET['dodo'], $_GET['next_var']); See, there's a lot of different ways to do it. In my opinion, it is only a minor inconvenience to have to work around this, and I far prefer to use the superglobals if only to help remind me as to which kind of variable I'm talking about (a GET var vs a POST var vs a SESSION var). In the application I'm developing I have a LOT of variables. ** /* This page is actually a confirmation page, I've tried to collect the info from page 1 ($bozo) and page 2 ($dodo) and print them to screen as in */ $bozo = $_GET['bozo']; $dodo = $_GET['dodo']; print $bozo $dodo; /* I've also tried $_SESSION['bozo'], $_GET['bozo'], left out the '$bozo = $_GET['bozo']' etc, etc, etc. -- I don't know what I'm doing here!! Help! ! */ ? What seems to be the problem here? The problem here is that $_SESSION['anything'] or $_GET['anything'] doesn't work. It refuses to print or pass anything. Why? I can't figure that out? I've tried a simple test, and yes the globals are off. But using the $bozo = $_GET['bozo']; approach, at least it writes to the database, but I cannot access the arrays at all??? And, I HAVE to write these for ALL the variables, else it doesn't get passed to the db. Sigh. So where am I messing up? I'm not sure that you are -- it shouldn't be refusing to print or pass anything. Test to make sure that your PHP binary is working correctly, with the following script: htmlheadtitletest/title/head body pMy name is: ?php if (isset($_GET['name']) !empty($_GET['name'])) { print strong . $_GET['name'] . /strong/p\n; } else { print form method=\get\ action=\ . $_SERVER['PHP_SELF'] . \ input type=\text\ name=\name\ //p pinput
[PHP] Re: {PHP] Empty $_SESSION and $_POST??
Hi Eric, First off, my apologies for the bloat replies, and for the re-write of this thread -- your last reply accidentally was deleted. My actual INSERT command (for page 1): $query = INSERT INTO sponsor (sid, sfname, ssname, sinit, saddr1, saddr2, scity, sprov, scountry, scode, sstatus, sdate, susername, spwd, smail, sipaddress) values (nextval('sponsor_sid_seq'), '$sfname', '$ssname', '$sinit', '$saddr1', '$saddr2', '$scity', '$sprov', '$scountry', '$scode', 'Guest', '$sdate', '$susername', '$spwd', '$smail', '$sipaddress'); // page 2 is the same except the prefix s changes to r in each field I tried with VALUES ($_GET['sfname'] etc, etc and got a T_Variable error as you said would happen. I've yet to try what you've suggested, but since the Test to ensure your PHP binary is working shows that it is indeed funtioning, I think with the info you've provided, I should be able to pass the variables or the array to the next page. I did a print_r($_GET); for pages 1 and 2, and both showed the array for that page only. I sort of thought that the command would show the $_GET array growing with the values from page 1 and page 2. That seems to be where the problem lies. Using $sfname = $_GET['sfname']; on page 1 and $rfname = $_GET['rfname'] on page 2, I would have assumed that the print_r[$_GET] done on page 2 would show both sfname AND rfname. But perhaps I am mis-understanding the function of print_r[$_GET] -- it's probably non-cumulative and specific to the page from which it was called on. If that's the case, what precisely is the value of these superglobals when ,in fact, they are specific to ONE page only??? Btw, your explanations are superb! With superglobals, you need to actually break out of the string by using the dot to append variable names. How I wish I knew that before: I don't recall running into that statement anywhere in the docs. I think I'll get used to dot notation [I used it a lot in Paradox PAL] and re-do my scripts properly. I'll get back to you on how it goes. Thank-you very much, Eric -- your advice and your excellent help is really what OpenSource is all about. Regards, Andre -- Please pray the Holy Rosary to end the holocaust of abortion. Remember in your prayers the Holy Souls in Purgatory. May God bless you abundantly in His love! For a free Cenacle Scriptural Rosary Booklet: http://www.webhart.net/csrb/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Empty $_SESSION and $_POST??
Hi Eric, First off, my apologies for the bloat replies, and for the re-write of this thread -- your last reply accidentally was deleted. My actual INSERT command (for page 1): $query = INSERT INTO sponsor (sid, sfname, ssname, sinit, saddr1, saddr2, scity, sprov, scountry, scode, sstatus, sdate, susername, spwd, smail, sipaddress) values (nextval('sponsor_sid_seq'), '$sfname', '$ssname', '$sinit', '$saddr1', '$saddr2', '$scity', '$sprov', '$scountry', '$scode', 'Guest', '$sdate', '$susername', '$spwd', '$smail', '$sipaddress'); // page 2 is the same except the prefix s changes to r in each field I tried with VALUES ($_GET['sfname'] etc, etc and got a T_Variable error as you said would happen. I've yet to try what you've suggested, but since the Test to ensure your PHP binary is working shows that it is indeed funtioning, I think with the info you've provided, I should be able to pass the variables or the array to the next page. I did a print_r($_GET); for pages 1 and 2, and both showed the array for that page only. I sort of thought that the command would show the $_GET array growing with the values from page 1 and page 2. That seems to be where the problem lies. Using $sfname = $_GET['sfname']; on page 1 and $rfname = $_GET['rfname'] on page 2, I would have assumed that the print_r[$_GET] done on page 2 would show both sfname AND rfname. But perhaps I am mis-understanding the function of print_r[$_GET] -- it's probably non-cumulative and specific to the page from which it was called on. If that's the case, what precisely is the value of these superglobals when ,in fact, they are specific to ONE page only??? Btw, your explanations are superb! With superglobals, you need to actually break out of the string by using the dot to append variable names. How I wish I knew that before: I don't recall running into that statement anywhere in the docs. I think I'll get used to dot notation [I used it a lot in Paradox PAL] and re-do my scripts properly. I'll get back to you on how it goes. Thank-you very much, Eric -- your advice and your excellent help is really what OpenSource is all about. Regards, Andre -- Please pray the Holy Rosary to end the holocaust of abortion. Remember in your prayers the Holy Souls in Purgatory. May God bless you abundantly in His love! For a free Cenacle Scriptural Rosary Booklet: http://www.webhart.net/csrb/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: {PHP] Empty $_SESSION and $_POST??
»Andre Dubuc« sagte am 2002-04-23 um 14:28:56 -0400 : I tried with VALUES ($_GET['sfname'] etc, etc and got a T_Variable error if that's part of a string, than it's for sure broken. The correct way would be VALUES ( . $_GET['sfname'] non-cumulative and specific to the page from which it was called on. If that's the case, what precisely is the value of these superglobals when ,in fact, they are specific to ONE page only??? $_GET contains all the values which have been submitted to the current page via a GET HTTP request. If you want to pass variables from one invocation to another without using GET or POST, I'd suggest to have a look at PHP sessions. With sessions, you can pass as much data as you wish without revealing what kind of data you're passing along. Plus, you don't need to worry about having to encapsulate the data so that it can be passed in the first place. Alexander Skwar -- How to quote: http://learn.to/quote (german) http://quote.6x.to (english) Homepage: http://www.iso-top.de |Jabber: [EMAIL PROTECTED] iso-top.de - Die günstige Art an Linux Distributionen zu kommen Uptime: 14 hours 53 minutes -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: {PHP] Empty $_SESSION and $_POST??
On Tuesday, April 23, 2002, at 02:28 PM, Andre Dubuc wrote: I tried with VALUES ($_GET['sfname'] etc, etc and got a T_Variable error as you said would happen. I've yet to try what you've suggested, but since the Test to ensure your PHP binary is working shows that it is indeed funtioning, I think with the info you've provided, I should be able to pass the variables or the array to the next page. Yep. You can't do it with VALUES ($_GET['sfname'] etc, etc . You'll have to do it with VALUES ( . $_GET['sfname'] . , . etc . , . ); I did a print_r($_GET); for pages 1 and 2, and both showed the array for that page only. I sort of thought that the command would show the $_GET array growing with the values from page 1 and page 2. Think about it -- the $_GET array simply shows the variables that were sent to that particular script using the GET method. Since HTTP is stateless, this won't grow over the lifetime of a browser's session -- for that you need to take your GET variables and place them into an array in a SESSION variable or something. What you have observed is normal. One other way to make your GET array grow is to grab the contents of the $_GET array using a foreach () loop or something, and then place them into a hidden form field. But bear in mind that the GET method only supports like 255 characters or something like that, so doing this isn't advisable -- that is, after all, what session variables were developed for. That seems to be where the problem lies. Using $sfname = $_GET['sfname']; on page 1 and $rfname = $_GET['rfname'] on page 2, I would have assumed that the print_r[$_GET] done on page 2 would show both sfname AND rfname. But perhaps I am mis-understanding the function of print_r[$_GET] -- it's probably non-cumulative and specific to the page from which it was called on. If that's the case, what precisely is the value of these superglobals when ,in fact, they are specific to ONE page only??? First of all, just so we're clear on this, print_r simply prints out the raw value of a variable or array or object or whatever. It's something that you usually only use in development, to echo back to yourself the contents of a variable so you can make sure that your code is working as expected (or find out what's wrong if it's not). SUPERGLOBAL doesn't refer to SUPERSESSION -- it doesn't mean that the variables become any more persistent than before. The differences are slight, and the name SUPER may have misled you. What is meant by SUPERGLOBAL is that when you refer to a superglobal using the superglobal syntax ($_GET, $_SERVER, etc), it is automatically globalized. What value is this? Well, for one thing you don't have to declare these as global with the global keyword in a function. Normally, this won't work: $name = Andre Dubuc; function printname() { print $name; } ...because $name is defined outside the scope of the function. The name needs to be passed to the function as an argument, or by using the global keyword... // as an argument: $name = Andre Dubuc; function printname($name) { print $name; } // using global keyword $name = Andre Dubuc; function printname() { global $name; print $name; } These will both result in Andre Dubuc being printed to the screen. But here is a superglobal being used: // $_GET['name'] has been passed to the script, // and its value is Andre Dubuc function printname() { print $_GET['name']; } This will in fact print the name as expected, even though the name hasn't been passed as an argument or globalized by the global keyword. Why is this useful? Well, I have a feeling that the PHP developers anticipated some unfavorable reaction to deprecating register_globals = on. So, instead of requiring everyone to use $HTTP_*_VARS all the time (which is between 14 and 20 extra characters depending on what array we're talking about), they came up with the much shorter $_* variable names. Easier to use. And, since the PHP coder in question is referring to these variables in a much more specific fashion (by using $_GET to refer to GET variables or $_SESSION to session variables), they are less likely to inadvertently globalize some malicious input from a user -- so why not provide the convenience of making the variables global? With superglobals, you need to actually break out of the string by using the dot to append variable names. How I wish I knew that before: I don't recall running into that statement anywhere in the docs. It's just like the + operator in JavaScript (well, actually in JS the + operator also performs addition). You'll find the dot extremely useful -- I'm sure you already know this one: $name = Andre ; $name .= Dubuc; print $name; // prints Andre Dubuc I think I'll get used to dot notation [I used it a lot in Paradox PAL] and re-do my scripts properly. I'll get back to you on how it goes. Thank-you
Re: [PHP] Empty $_SESSION and $_POST ??
On Friday, April 19, 2002, at 09:41 PM, Andre Dubuc wrote: Is there a way I can verify that (a) globals are off and (b) $_SESSION or $_POST are on? This probably what's happening -- I can't access the arrays at all -- so, I think that might be where the problem lies. The $vars still work though throughout all scripts. $_SESSION and $_POST and other superglobals are already on all the time if you use PHP 4.1.x or later. Verify that globals are off by writing a script that checks the for the presence or the value of $variable and then pass variable=1 or something on the querystring in your browser. Erik Erik Price Web Developer Temp Media Lab, H.H. Brown [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Empty $_SESSION and $_POST ??
On Monday 22 April 2002 09:50 am, you wrote: On Friday, April 19, 2002, at 09:41 PM, Andre Dubuc wrote: Is there a way I can verify that (a) globals are off and (b) $_SESSION or $_POST are on? This probably what's happening -- I can't access the arrays at all -- so, I think that might be where the problem lies. The $vars still work though throughout all scripts. $_SESSION and $_POST and other superglobals are already on all the time if you use PHP 4.1.x or later. Verify that globals are off by writing a script that checks the for the presence or the value of $variable and then pass variable=1 or something on the querystring in your browser. Erik Erik Price Web Developer Temp Media Lab, H.H. Brown [EMAIL PROTECTED] Thanks Eric, Sorry about the delay in replying. I was at a funeral today. I tried what you suggested, and indeed globals are off. Perhaps my problem stems from my use of the $_GET[] with $vars. I guess I don't really understand what I'm doing. If you would take a peek at this code [I think I've introduced a security hole, and I'm mixing up things]: On page 1: ?php session_start(); ob_start(); ? // ob_start(); so I can have html headers on this page redirect later // some other code form action=page2.php method=get ?php // The following line is where I think I've caused myself grief. input type=text size=20 name=bozo // many other lines of code input type=submit name=submit value=Agree ? On page 2: ?php session_start(); ob_start(); ? // ob_start(); so I can have html headers on this page redirect later // some other code form action=page3php method=get ?php $bozo = $_GET['bozo']; /* Now is this correct? Am I exposing 'bozo' to a security hole? For the rest of the script, with each $_GET['var'] from the previous page I do the same. Somehow, I don't think I've grasped what to do with $vars. From my reading elsewhere, should I, for example, in page 1 use something like : input type=text size=20 name=?php echo $_SESSION['bozo'] ? Once I figure out how I'm supposed to write the variables in the scripts, I'll be OK. But I'm so CONFUSED! */ if ($bozo == ) die (Please enter your 'First Name'. brbr Click 'Back in your browser to enter this information.); // new input variable unique to page 2 input type=text size=20 name=dodo // other code: including an if $level statement that checks for level of registration and redirects, using header(location . . .) session_write_close(); // to allow the header through header(location:page 3.php); ? On page 3: ?session_start(); ob_start(); ? ?php /* This page is actually a confirmation page, I've tried to collect the info from page 1 ($bozo) and page 2 ($dodo) and print them to screen as in */ $bozo = $_GET['bozo']; $dodo = $_GET['dodo']; print $bozo $dodo; /* I've also tried $_SESSION['bozo'], $_GET['bozo'], left out the '$bozo = $_GET['bozo']' etc, etc, etc. -- I don't know what I'm doing here!! Help! ! */ ? {Btw, I've used bozo and dodo since it's easier to spot the diffference than what I actually use for the field :] Tia, Andre -- Please pray the Holy Rosary to end the holocaust of abortion. Remember in your prayers the Holy Souls in Purgatory. May God bless you abundantly in His love! For a free Cenacle Scriptural Rosary Booklet: http://www.webhart.net/csrb/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Empty $_SESSION and $_POST ??
On Monday, April 22, 2002, at 03:47 PM, Andre Dubuc wrote: I tried what you suggested, and indeed globals are off. Perhaps my problem stems from my use of the $_GET[] with $vars. I guess I don't really understand what I'm doing. If you would take a peek at this code [I think I've introduced a security hole, and I'm mixing up things]: I think the problem you're having is basically understanding what register_globals does, and why some people might want to turn it off. register_globals takes a variable (doesn't matter if it's a server variable, a cookie variable, a post variable, or a get variable) and registers it as global throughout the script. This means that if someone types http://www.domain.com/index.php?firstname=andrelastname=dubuc into the Address bar of her browser, she has just requested the index.php resource from the server at www.domain.com using the HTTP protocol and sent two variables to the server using the GET method: $firstname = 'andre' $lastname = 'dubuc' If you have register_globals turned on, then your script can look like this: if ($firstname == 'andre' $lastname == 'dubuc') { // do something } and it still works. However, if you have register_globals turned off, then the above 'if test' won't work. This is because these variables are not $firstname and $lastname, they are $_GET['firstname'] and $_GET['lastname']. To do an 'if test' with register_globals off, you should do: if ($_GET['firstname'] == 'andre' $_GET['lastname'] == 'dubuc') { // do something } There's really not much of a difference. The thing is that instead of being a global variable, the data that you passed is now an element of the $_GET array. So you use the standard element notation, using the associative index of the variable name. If you do this: $firstname = $_GET['firstname']; $lastname = $_GET['lastname']; ...you make your code simpler to understand, but be careful that you don't do something in the same script like $lastname = $row['last_name']; (which could happen if you were trying to simplify your MySQL result data.) I'll take a look at what you've got On page 1: ?php session_start(); ob_start(); ? // ob_start(); so I can have html headers on this page redirect later // some other code form action=page2.php method=get ?php // The following line is where I think I've caused myself grief. input type=text size=20 name=bozo input type=submit name=submit value=Agree ? Yeah, I'd say you've caused yourself some grief. This isn't even related to register_globals -- you've got two HTML input tags in the middle of your PHP block. You need to print() or echo these, not just type them in directly. print(input type='text' size='20' name='bozo' /); print(input type='submit' name='submit' value='Agree'); $bozo = $_GET['bozo']; /* Now is this correct? Am I exposing 'bozo' to a security hole? For the rest of the script, with each $_GET['var'] from the previous page I do the same. Somehow, I don't think I've grasped what to do with $vars. From my reading elsewhere, should I, for example, in page 1 use something like : input type=text size=20 name=?php echo $_SESSION['bozo'] ? I prefer to do it the way that you have read elsewhere, but it really doesn't matter. Either way, you have a variable in your script that points to some user-specified data. What you've done is simplified the results, similar to what some people do when they pull data out of a result set with mysql_fetch_array(). The only security hole is if you have written your script to do something unsafe with the $bozo variable. HOWEVER... bear in mind that now that you are referring to this variable in this fashion, you could end up inadvertently overwriting this variable with a new variable, by doing something like $bozo = $row['bozo']; -- something that is far less likely to occur when referring to it as $_GET['bozo']. It really depends on how organized your code is. If I were you, I would probably get into the habit of calling it $_GET['bozo'], since that just saves you time and stress in the long run. The only security hole would be this: $_SESSION['admin'] = 'yes'; // indicates that user is an administrator $admin = $_SESSION['admin']; // simplify our variable name if ($admin == 'yes') { // if user is an administrator // display some sensitive data } // for some stupid reason we do this $admin = $_GET['admin']; // obviously you wouldn't do something like this if ($admin == 'yes') { // display some sensitive data } Essentially, in the above code, you've given the value of a GET variable called admin the same power as a session variable called admin. This is bad practice in general, and I'm sure you wouldn't make this mistake. Simply making $admin = $_SESSION['admin'] does NOT mean that someone can type admin=yes into the querystring and automatically become the admin, because register_globals is OFF -- this
Re: [PHP] Empty $_SESSION and $_POST ??
On Monday 22 April 2002 05:34 pm, you wrote: On Monday, April 22, 2002, at 03:47 PM, Andre Dubuc wrote: I tried what you suggested, and indeed globals are off. Perhaps my problem stems from my use of the $_GET[] with $vars. I guess I don't really understand what I'm doing. If you would take a peek at this code [I think I've introduced a security hole, and I'm mixing up things]: I think the problem you're having is basically understanding what register_globals does, and why some people might want to turn it off. register_globals takes a variable (doesn't matter if it's a server variable, a cookie variable, a post variable, or a get variable) and registers it as global throughout the script. This means that if someone types http://www.domain.com/index.php?firstname=andrelastname=dubuc into the Address bar of her browser, she has just requested the index.php resource from the server at www.domain.com using the HTTP protocol and sent two variables to the server using the GET method: $firstname = 'andre' $lastname = 'dubuc' If you have register_globals turned on, then your script can look like this: if ($firstname == 'andre' $lastname == 'dubuc') { // do something } and it still works. However, if you have register_globals turned off, then the above 'if test' won't work. This is because these variables are not $firstname and $lastname, they are $_GET['firstname'] and $_GET['lastname']. To do an 'if test' with register_globals off, you should do: if ($_GET['firstname'] == 'andre' $_GET['lastname'] == 'dubuc') { // do something } There's really not much of a difference. The thing is that instead of being a global variable, the data that you passed is now an element of the $_GET array. So you use the standard element notation, using the associative index of the variable name. If you do this: $firstname = $_GET['firstname']; $lastname = $_GET['lastname']; ...you make your code simpler to understand, but be careful that you don't do something in the same script like $lastname = $row['last_name']; (which could happen if you were trying to simplify your MySQL result data.) I'll take a look at what you've got On page 1: ?php session_start(); ob_start(); ? // ob_start(); so I can have html headers on this page redirect later // some other code form action=page2.php method=get ?php // The following line is where I think I've caused myself grief. input type=text size=20 name=bozo input type=submit name=submit value=Agree ? Yeah, I'd say you've caused yourself some grief. This isn't even related to register_globals -- you've got two HTML input tags in the middle of your PHP block. You need to print() or echo these, not just type them in directly. print(input type='text' size='20' name='bozo' /); print(input type='submit' name='submit' value='Agree'); $bozo = $_GET['bozo']; /* Now is this correct? Am I exposing 'bozo' to a security hole? For the rest of the script, with each $_GET['var'] from the previous page I do the same. Somehow, I don't think I've grasped what to do with $vars. From my reading elsewhere, should I, for example, in page 1 use something like input type=text size=20 name=?php echo $_SESSION['bozo'] ? I prefer to do it the way that you have read elsewhere, but it really doesn't matter. Either way, you have a variable in your script that points to some user-specified data. What you've done is simplified the results, similar to what some people do when they pull data out of a result set with mysql_fetch_array(). The only security hole is if you have written your script to do something unsafe with the $bozo variable. HOWEVER... bear in mind that now that you are referring to this variable in this fashion, you could end up inadvertently overwriting this variable with a new variable, by doing something like $bozo = $row['bozo']; -- something that is far less likely to occur when referring to it as $_GET['bozo']. It really depends on how organized your code is. If I were you, I would probably get into the habit of calling it $_GET['bozo'], since that just saves you time and stress in the long run. The only security hole would be this: $_SESSION['admin'] = 'yes'; // indicates that user is an administrator $admin = $_SESSION['admin']; // simplify our variable name if ($admin == 'yes') { // if user is an administrator // display some sensitive data } // for some stupid reason we do this $admin = $_GET['admin']; // obviously you wouldn't do something like this if ($admin == 'yes') { // display some sensitive data } Essentially, in the above code, you've given the value of a GET variable called admin the same power as a session variable called admin. This is bad practice in general, and I'm sure you wouldn't make this mistake. Simply making $admin = $_SESSION['admin'] does NOT mean that someone can type
Re: [PHP] Empty $_SESSION and $_POST ??
On Fri, 19 Apr 2002, Andre Dubuc wrote: Whenever I try: print($_SESSION['sfname']); or print($_POST['scity'] I get a parse error expecting 'T_STRING' . . . -- obviously there's nothing in the array or I haven't set it. You just have a simple syntax error. You can use any of the following: print $_SESSION['sfname']; print {$_SESSION['sfname']}; print ${_SESSION['sfname']}; But you can't put a bare array dereference inside a quoted string like you tried above. You need to surround it with {curly braces} or take it outside the quoted string. miguel -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Empty $_SESSION and $_POST ??
On Friday 19 April 2002 08:13 pm, you wrote: On Fri, 19 Apr 2002, Andre Dubuc wrote: Whenever I try: print($_SESSION['sfname']); or print($_POST['scity'] I get a parse error expecting 'T_STRING' . . . -- obviously there's nothing in the array or I haven't set it. You just have a simple syntax error. You can use any of the following: print $_SESSION['sfname']; print {$_SESSION['sfname']}; print ${_SESSION['sfname']}; But you can't put a bare array dereference inside a quoted string like you tried above. You need to surround it with {curly braces} or take it outside the quoted string. miguel Hi Miguel, I tried all three -- none work. I question whether register_globals is truly off since, earlier when I changed php.ini it dumped my Postgresql and left the phpinfo() unchanged. This time it reported the change, and Postgresql is working. Is there a way I can verify that (a) globals are off and (b) $_SESSION or $_POST are on? This probably what's happening -- I can't access the arrays at all -- so, I think that might be where the problem lies. The $vars still work though throughout all scripts. Any ideas? Tia, Andre -- Please pray the Holy Rosary to end the holocaust of abortion. Remember in your prayers the Holy Souls in Purgatory. May God bless you abundantly in His love! For a free Cenacle Scriptural Rosary Booklet: http://www.webhart.net/csrb/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Empty $_SESSION and $_POST ??
I'm running PHP 4.1.2 + Apache 1.3.23 + PostgreSQL 7.2. I've tried reverting back to globals=on, and same problem. Yet, earlier in another script I used $sfname = $_GET['sfname']; to get the value of sfname -- now, it won't work. I'm truly stumped -- I don't know whether it's my code? [I beginning to think it isn't because of the flakiness of the php.ini failing to report changes accurately] I've dumped PHP and re-installed it, but the same problem persists. Now for the big question -- what's wrong with globals=on anyway? Eventually the site will be public, and probably the host won't allow globals on, but what's the security risk? You say $_SESSION[] and $_POST[] are always on -- even if globals are on? Can I verify what all the variables in the array are? Where would I look? By the look of things, I've got a major problem -- but I don't know where to look. Help? Please? Tia, Andre On Friday 19 April 2002 10:17 pm, you wrote: I accidentally deleted your last message. But with current versions of PHP, $_POST, etc., are always on and there's no way to turn them off. Which version are you running? (check phpinfo()). miguel On Fri, 19 Apr 2002, Miguel Cruz wrote: On Fri, 19 Apr 2002, Andre Dubuc wrote: Whenever I try: print($_SESSION['sfname']); or print($_POST['scity'] I get a parse error expecting 'T_STRING' . . . -- obviously there's nothing in the array or I haven't set it. You just have a simple syntax error. You can use any of the following: print $_SESSION['sfname']; print {$_SESSION['sfname']}; print ${_SESSION['sfname']}; But you can't put a bare array dereference inside a quoted string like you tried above. You need to surround it with {curly braces} or take it outside the quoted string. miguel -- Please pray the Holy Rosary to end the holocaust of abortion. Remember in your prayers the Holy Souls in Purgatory. May God bless you abundantly in His love! For a free Cenacle Scriptural Rosary Booklet: http://www.webhart.net/csrb/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Empty $_SESSION and $_POST ??
On Saturday 20 April 2002 09:41, Andre Dubuc wrote: Is there a way I can verify that (a) globals are off and (b) $_SESSION or $_POST are on? This probably what's happening -- I can't access the arrays at all -- so, I think that might be where the problem lies. The $vars still work though throughout all scripts. Use: print_r($GLOBALS); to see what variables you have. -- Jason Wong - Gremlins Associates - www.gremlins.com.hk Open Source Software Systems Integrators * Web Design Hosting * Internet Intranet Applications Development * /* Dr. Jekyll had something to Hyde. */ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php