RE: [PHP] Empty $_SESSION and $_POST ??
Have you tried doing phpinfo() and seeing what values are coming up?
-Original Message-
From: Andre Dubuc [mailto:[EMAIL PROTECTED]]
Sent: April 22, 2002 5:59 PM
To: Erik Price
Cc: [EMAIL PROTECTED]
Subject: Re: [PHP] Empty $_SESSION and $_POST ??
On Monday 22 April 2002 05:34 pm, you wrote:
On Monday, April 22, 2002, at 03:47 PM, Andre Dubuc wrote:
I tried what you suggested, and indeed globals are off. Perhaps my
problem
stems from my use of the $_GET[] with $vars. I guess I don't really
understand what I'm doing. If you would take a peek at this code [I
think
I've introduced a security hole, and I'm mixing up things]:
I think the problem you're having is basically understanding what
register_globals does, and why some people might want to turn it off.
register_globals takes a variable (doesn't matter if it's a server
variable, a cookie variable, a post variable, or a get variable) and
registers it as global throughout the script. This means that if
someone types
http://www.domain.com/index.php?firstname=andrelastname=dubuc
into the Address bar of her browser, she has just requested the
index.php resource from the server at www.domain.com using the HTTP
protocol and sent two variables to the server using the GET method:
$firstname = 'andre'
$lastname = 'dubuc'
If you have register_globals turned on, then your script can look like
this:
if ($firstname == 'andre' $lastname == 'dubuc') {
// do something
}
and it still works. However, if you have register_globals turned off,
then the above 'if test' won't work. This is because these variables
are not $firstname and $lastname, they are $_GET['firstname'] and
$_GET['lastname']. To do an 'if test' with register_globals off, you
should do:
if ($_GET['firstname'] == 'andre' $_GET['lastname'] == 'dubuc') {
// do something
}
There's really not much of a difference. The thing is that instead of
being a global variable, the data that you passed is now an element of
the $_GET array. So you use the standard element notation, using the
associative index of the variable name.
If you do this:
$firstname = $_GET['firstname'];
$lastname = $_GET['lastname'];
...you make your code simpler to understand, but be careful that you
don't do something in the same script like
$lastname = $row['last_name'];
(which could happen if you were trying to simplify your MySQL result
data.)
I'll take a look at what you've got
On page 1:
?php session_start(); ob_start(); ?
// ob_start(); so I can have html headers on this page redirect later
// some other code
form action=page2.php method=get
?php
// The following line is where I think I've caused myself grief.
input type=text size=20 name=bozo
input type=submit name=submit value=Agree
?
Yeah, I'd say you've caused yourself some grief. This isn't even
related to register_globals -- you've got two HTML input tags in the
middle of your PHP block. You need to print() or echo these, not just
type them in directly.
print(input type='text' size='20' name='bozo' /);
print(input type='submit' name='submit' value='Agree');
$bozo = $_GET['bozo'];
/* Now is this correct? Am I exposing 'bozo' to a security hole? For
the
rest of the script, with each $_GET['var'] from the previous page I do
the
same. Somehow, I don't think I've grasped what to do with $vars. From my
reading elsewhere, should I, for example, in page 1 use something like
input type=text size=20 name=?php echo
$_SESSION['bozo'] ?
I prefer to do it the way that you have read elsewhere, but it really
doesn't matter. Either way, you have a variable in your script that
points to some user-specified data. What you've done is simplified the
results, similar to what some people do when they pull data out of a
result set with mysql_fetch_array(). The only security hole is if you
have written your script to do something unsafe with the $bozo variable.
HOWEVER... bear in mind that now that you are referring to this variable
in this fashion, you could end up inadvertently overwriting this
variable with a new variable, by doing something like
$bozo = $row['bozo'];
-- something that is far less likely to occur when referring to it as
$_GET['bozo'].
It really depends on how organized your code is. If I were you, I would
probably get into the habit of calling it $_GET['bozo'], since that just
saves you time and stress in the long run. The only security hole would
be this:
$_SESSION['admin'] = 'yes'; // indicates that user is an administrator
$admin = $_SESSION['admin']; // simplify our variable name
if ($admin == 'yes') { // if user is an administrator
// display some sensitive data
}
// for some stupid reason we do this
$admin = $_GET['admin']; // obviously you wouldn't do something like this
if ($admin == 'yes') {
// display some sensitive data
}
Essentially, in the above code, you've
Re: [PHP] Empty $_SESSION and $_POST ??
On Mon, 22 Apr 2002, Andre Dubuc wrote:
would be OK. It seems it's the ONLY way my script will allow the array to be
put into the database (PostgreSQL). If I type into the INSERT command
$bozo, $next_var, $next_next_var // it works
$_GET['bozo'], $_GET['next_var'], etc // I get T_Variable undefined
**
The problem here is that $_SESSION['anything'] or $_GET['anything'] doesn't
work. It refuses to print or pass anything. Why? I can't figure that out?
I've tried a simple test, and yes the globals are off. But using the
$bozo = $_GET['bozo']; approach, at least it writes to the database, but I
cannot access the arrays at all??? And, I HAVE to write these for ALL the
variables, else it doesn't get passed to the db.
Sigh. So where am I messing up?
Once again, just do
{$_SESSION['anything']}
with the {curly braces} around it, if the array dereference is anywhere
inside double quotes.
miguel
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Empty $_SESSION and $_POST ??
On Wednesday 24 April 2002 09:18 am, you wrote: Have you tried doing phpinfo() and seeing what values are coming up? I finally got everything working, thanks to Erik Price's excellent help and for all the others who offered their suggestions. Thanks for your suggestion! Regards, Andre -- Please pray the Holy Rosary to end the holocaust of abortion. Remember in your prayers the Holy Souls in Purgatory. May God bless you abundantly in His love! For a free Cenacle Scriptural Rosary Booklet: http://www.webhart.net/csrb/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Empty $_SESSION and $_POST ??
First thing I should say is, you only need to quote the relevant part of
an email -- that way, everyone knows exactly what to read (rather than
pages of old email threads) to answer the question. But don't worry
about it.
Now, on to your situation --
That clears up a lot. I sort of thought doing:
$bozo = $_GET['bozo'];
would be OK. It seems it's the ONLY way my script will allow the array
to be
put into the database (PostgreSQL). If I type into the INSERT command
$bozo, $next_var, $next_next_var // it works
$_GET['bozo'], $_GET['next_var'], etc // I get T_Variable
undefined
Well, it would be most helpful to see your actual INSERT statement, but
I'm going to take a guess at what you're doing. You're probably doing
it like this:
$sql = INSERT INTO table
(row1,
row2,
row3)
VALUES ($_GET['bozo'],
$_GET['dodo'],
$_GET['next_var']);
And this is why you're having a problem. As cool as the superglobals
are, their biggest inconvenience is that you can't use them inside of
quoted strings like you can with the more simple variable names. In
other words, you used to be able to do
$sql = INSERT INTO table
(row1,
row2,
row3)
VALUES ($bozo,
$dodo,
$next_var);
And the variable names would automatically expand to their values inside
the string. With superglobals, you need to actually break out of the
string by using the dot to append variable names. So if you don't want
to assign all of your superglobals to simpler $variablenames, you can do
it this way:
$sql = INSERT INTO table
(row1,
row2,
row3)
VALUES ( . $_GET['bozo'] . ,
. $_GET['dodo'] . ,
. $_GET['next_var'];
Here, what I've done is created a string that is broken into separate
concatenated bits with the dot (concatenation) operator.
If you have a syntax-coloring text editor, it will be a BIG help because
it will colorize the strings so that you can get a better feel for what
you're doing. I strongly recommend that you get a hold of one, from
what I understand there are free ones for Windows and I'm pretty sure
that emacs and vim on Unix can do it.
Another way to do it is to use the braces to single out your variable
name, here is the same example done in this way:
$sql = INSERT INTO table
(row1,
row2,
row3)
VALUES ({$_GET['bozo']},
{$_GET['dodo']},
{$_GET['next_var']});
By doing this you don't have to break out of the string and
concatenate. I prefer to do the concatenation, but it's really a matter
of choice -- you could even use sprintf() to do the same thing:
$sql = sprintf(INSERT INTO table
(row1,
row2,
row3)
VALUES (%s,
%s,
%s), $_GET['bozo'], $_GET['dodo'],
$_GET['next_var']);
See, there's a lot of different ways to do it. In my opinion, it is
only a minor inconvenience to have to work around this, and I far prefer
to use the superglobals if only to help remind me as to which kind of
variable I'm talking about (a GET var vs a POST var vs a SESSION var).
In the application I'm developing I have a LOT of variables.
**
/* This page is actually a confirmation page, I've tried to collect
the
info
from page 1 ($bozo) and page 2 ($dodo) and print them to screen as
in */
$bozo = $_GET['bozo'];
$dodo = $_GET['dodo'];
print $bozo $dodo;
/* I've also tried $_SESSION['bozo'], $_GET['bozo'], left out the
'$bozo = $_GET['bozo']' etc, etc, etc. -- I don't know what I'm doing
here!! Help! ! */
?
What seems to be the problem here?
The problem here is that $_SESSION['anything'] or $_GET['anything']
doesn't
work. It refuses to print or pass anything. Why? I can't figure that
out?
I've tried a simple test, and yes the globals are off. But using the
$bozo = $_GET['bozo']; approach, at least it writes to the database,
but I
cannot access the arrays at all??? And, I HAVE to write these for ALL
the
variables, else it doesn't get passed to the db.
Sigh. So where am I messing up?
I'm not sure that you are -- it shouldn't be refusing to print or pass
anything. Test to make sure that your PHP binary is working correctly,
with the following script:
htmlheadtitletest/title/head
body
pMy name is:
?php
if (isset($_GET['name']) !empty($_GET['name'])) {
print strong . $_GET['name'] . /strong/p\n;
} else {
print form method=\get\ action=\ . $_SERVER['PHP_SELF'] . \
input type=\text\ name=\name\ //p
pinput
[PHP] Re: {PHP] Empty $_SESSION and $_POST??
Hi Eric,
First off, my apologies for the bloat replies, and for the re-write of this
thread -- your last reply accidentally was deleted.
My actual INSERT command (for page 1):
$query = INSERT INTO sponsor (sid, sfname, ssname, sinit, saddr1,
saddr2, scity, sprov, scountry, scode, sstatus, sdate, susername,
spwd, smail, sipaddress) values (nextval('sponsor_sid_seq'), '$sfname',
'$ssname', '$sinit', '$saddr1', '$saddr2', '$scity', '$sprov',
'$scountry', '$scode', 'Guest', '$sdate', '$susername', '$spwd',
'$smail', '$sipaddress');
// page 2 is the same except the prefix s changes to r in each field
I tried with VALUES ($_GET['sfname'] etc, etc and got a T_Variable error
as you said would happen. I've yet to try what you've suggested, but since
the Test to ensure your PHP binary is working shows that it is indeed
funtioning, I think with the info you've provided, I should be able to pass
the variables or the array to the next page.
I did a print_r($_GET); for pages 1 and 2, and both showed the array for that
page only. I sort of thought that the command would show the $_GET array
growing with the values from page 1 and page 2. That seems to be where the
problem lies. Using $sfname = $_GET['sfname']; on page 1 and $rfname =
$_GET['rfname'] on page 2, I would have assumed that the print_r[$_GET] done
on page 2 would show both sfname AND rfname. But perhaps I am
mis-understanding the function of print_r[$_GET] -- it's probably
non-cumulative and specific to the page from which it was called on. If
that's the case, what precisely is the value of these superglobals when ,in
fact, they are specific to ONE page only???
Btw, your explanations are superb!
With superglobals, you need to actually break out of the string by using the
dot to append variable names. How I wish I knew that before: I don't recall
running into that statement anywhere in the docs.
I think I'll get used to dot notation [I used it a lot in Paradox PAL]
and re-do my scripts properly. I'll get back to you on how it goes.
Thank-you very much, Eric -- your advice and your excellent help is really
what OpenSource is all about.
Regards,
Andre
--
Please pray the Holy Rosary to end the holocaust of abortion.
Remember in your prayers the Holy Souls in Purgatory.
May God bless you abundantly in His love!
For a free Cenacle Scriptural Rosary Booklet: http://www.webhart.net/csrb/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Empty $_SESSION and $_POST??
Hi Eric,
First off, my apologies for the bloat replies, and for the re-write of this
thread -- your last reply accidentally was deleted.
My actual INSERT command (for page 1):
$query = INSERT INTO sponsor (sid, sfname, ssname, sinit, saddr1,
saddr2, scity, sprov, scountry, scode, sstatus, sdate, susername,
spwd, smail, sipaddress) values (nextval('sponsor_sid_seq'), '$sfname',
'$ssname', '$sinit', '$saddr1', '$saddr2', '$scity', '$sprov',
'$scountry', '$scode', 'Guest', '$sdate', '$susername', '$spwd',
'$smail', '$sipaddress');
// page 2 is the same except the prefix s changes to r in each field
I tried with VALUES ($_GET['sfname'] etc, etc and got a T_Variable error
as you said would happen. I've yet to try what you've suggested, but since
the Test to ensure your PHP binary is working shows that it is indeed
funtioning, I think with the info you've provided, I should be able to pass
the variables or the array to the next page.
I did a print_r($_GET); for pages 1 and 2, and both showed the array for that
page only. I sort of thought that the command would show the $_GET array
growing with the values from page 1 and page 2. That seems to be where the
problem lies. Using $sfname = $_GET['sfname']; on page 1 and $rfname =
$_GET['rfname'] on page 2, I would have assumed that the print_r[$_GET] done
on page 2 would show both sfname AND rfname. But perhaps I am
mis-understanding the function of print_r[$_GET] -- it's probably
non-cumulative and specific to the page from which it was called on. If
that's the case, what precisely is the value of these superglobals when ,in
fact, they are specific to ONE page only???
Btw, your explanations are superb!
With superglobals, you need to actually break out of the string by using the
dot to append variable names. How I wish I knew that before: I don't recall
running into that statement anywhere in the docs.
I think I'll get used to dot notation [I used it a lot in Paradox PAL]
and re-do my scripts properly. I'll get back to you on how it goes.
Thank-you very much, Eric -- your advice and your excellent help is really
what OpenSource is all about.
Regards,
Andre
--
Please pray the Holy Rosary to end the holocaust of abortion.
Remember in your prayers the Holy Souls in Purgatory.
May God bless you abundantly in His love!
For a free Cenacle Scriptural Rosary Booklet: http://www.webhart.net/csrb/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: {PHP] Empty $_SESSION and $_POST??
»Andre Dubuc« sagte am 2002-04-23 um 14:28:56 -0400 : I tried with VALUES ($_GET['sfname'] etc, etc and got a T_Variable error if that's part of a string, than it's for sure broken. The correct way would be VALUES ( . $_GET['sfname'] non-cumulative and specific to the page from which it was called on. If that's the case, what precisely is the value of these superglobals when ,in fact, they are specific to ONE page only??? $_GET contains all the values which have been submitted to the current page via a GET HTTP request. If you want to pass variables from one invocation to another without using GET or POST, I'd suggest to have a look at PHP sessions. With sessions, you can pass as much data as you wish without revealing what kind of data you're passing along. Plus, you don't need to worry about having to encapsulate the data so that it can be passed in the first place. Alexander Skwar -- How to quote: http://learn.to/quote (german) http://quote.6x.to (english) Homepage: http://www.iso-top.de |Jabber: [EMAIL PROTECTED] iso-top.de - Die günstige Art an Linux Distributionen zu kommen Uptime: 14 hours 53 minutes -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: {PHP] Empty $_SESSION and $_POST??
On Tuesday, April 23, 2002, at 02:28 PM, Andre Dubuc wrote:
I tried with VALUES ($_GET['sfname'] etc, etc and got a T_Variable
error
as you said would happen. I've yet to try what you've suggested, but
since
the Test to ensure your PHP binary is working shows that it is indeed
funtioning, I think with the info you've provided, I should be able to
pass
the variables or the array to the next page.
Yep. You can't do it with VALUES ($_GET['sfname'] etc, etc . You'll
have to do it with VALUES ( . $_GET['sfname'] . , .
etc . , . );
I did a print_r($_GET); for pages 1 and 2, and both showed the array
for that
page only. I sort of thought that the command would show the $_GET array
growing with the values from page 1 and page 2.
Think about it -- the $_GET array simply shows the variables that were
sent to that particular script using the GET method. Since HTTP is
stateless, this won't grow over the lifetime of a browser's session --
for that you need to take your GET variables and place them into an
array in a SESSION variable or something. What you have observed is
normal. One other way to make your GET array grow is to grab the
contents of the $_GET array using a foreach () loop or something, and
then place them into a hidden form field. But bear in mind that the GET
method only supports like 255 characters or something like that, so
doing this isn't advisable -- that is, after all, what session variables
were developed for.
That seems to be where the
problem lies. Using $sfname = $_GET['sfname']; on page 1 and $rfname =
$_GET['rfname'] on page 2, I would have assumed that the print_r[$_GET]
done
on page 2 would show both sfname AND rfname. But perhaps I am
mis-understanding the function of print_r[$_GET] -- it's probably
non-cumulative and specific to the page from which it was called on. If
that's the case, what precisely is the value of these superglobals
when ,in
fact, they are specific to ONE page only???
First of all, just so we're clear on this, print_r simply prints out the
raw value of a variable or array or object or whatever. It's something
that you usually only use in development, to echo back to yourself the
contents of a variable so you can make sure that your code is working as
expected (or find out what's wrong if it's not).
SUPERGLOBAL doesn't refer to SUPERSESSION -- it doesn't mean that the
variables become any more persistent than before. The differences are
slight, and the name SUPER may have misled you. What is meant by
SUPERGLOBAL is that when you refer to a superglobal using the
superglobal syntax ($_GET, $_SERVER, etc), it is automatically
globalized. What value is this? Well, for one thing you don't have to
declare these as global with the global keyword in a function.
Normally, this won't work:
$name = Andre Dubuc;
function printname()
{
print $name;
}
...because $name is defined outside the scope of the function. The name
needs to be passed to the function as an argument, or by using the
global keyword...
// as an argument:
$name = Andre Dubuc;
function printname($name)
{
print $name;
}
// using global keyword
$name = Andre Dubuc;
function printname()
{
global $name;
print $name;
}
These will both result in Andre Dubuc being printed to the screen.
But here is a superglobal being used:
// $_GET['name'] has been passed to the script,
// and its value is Andre Dubuc
function printname()
{
print $_GET['name'];
}
This will in fact print the name as expected, even though the name
hasn't been passed as an argument or globalized by the global keyword.
Why is this useful? Well, I have a feeling that the PHP developers
anticipated some unfavorable reaction to deprecating register_globals =
on. So, instead of requiring everyone to use $HTTP_*_VARS all the time
(which is between 14 and 20 extra characters depending on what array
we're talking about), they came up with the much shorter $_* variable
names. Easier to use. And, since the PHP coder in question is
referring to these variables in a much more specific fashion (by using
$_GET to refer to GET variables or $_SESSION to session variables), they
are less likely to inadvertently globalize some malicious input from a
user -- so why not provide the convenience of making the variables
global?
With superglobals, you need to actually break out of the string by
using the
dot to append variable names. How I wish I knew that before: I don't
recall
running into that statement anywhere in the docs.
It's just like the + operator in JavaScript (well, actually in JS the +
operator also performs addition). You'll find the dot extremely
useful -- I'm sure you already know this one:
$name = Andre ;
$name .= Dubuc;
print $name; // prints Andre Dubuc
I think I'll get used to dot notation [I used it a lot in Paradox PAL]
and re-do my scripts properly. I'll get back to you on how it goes.
Thank-you
Re: [PHP] Empty $_SESSION and $_POST ??
On Friday, April 19, 2002, at 09:41 PM, Andre Dubuc wrote: Is there a way I can verify that (a) globals are off and (b) $_SESSION or $_POST are on? This probably what's happening -- I can't access the arrays at all -- so, I think that might be where the problem lies. The $vars still work though throughout all scripts. $_SESSION and $_POST and other superglobals are already on all the time if you use PHP 4.1.x or later. Verify that globals are off by writing a script that checks the for the presence or the value of $variable and then pass variable=1 or something on the querystring in your browser. Erik Erik Price Web Developer Temp Media Lab, H.H. Brown [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Empty $_SESSION and $_POST ??
On Monday 22 April 2002 09:50 am, you wrote:
On Friday, April 19, 2002, at 09:41 PM, Andre Dubuc wrote:
Is there a way I can verify that (a) globals are off and (b) $_SESSION
or
$_POST are on? This probably what's happening -- I can't access the
arrays at
all -- so, I think that might be where the problem lies. The $vars
still work
though throughout all scripts.
$_SESSION and $_POST and other superglobals are already on all the time
if you use PHP 4.1.x or later.
Verify that globals are off by writing a script that checks the for the
presence or the value of $variable and then pass variable=1 or
something on the querystring in your browser.
Erik
Erik Price
Web Developer Temp
Media Lab, H.H. Brown
[EMAIL PROTECTED]
Thanks Eric,
Sorry about the delay in replying. I was at a funeral today.
I tried what you suggested, and indeed globals are off. Perhaps my problem
stems from my use of the $_GET[] with $vars. I guess I don't really
understand what I'm doing. If you would take a peek at this code [I think
I've introduced a security hole, and I'm mixing up things]:
On page 1:
?php session_start(); ob_start(); ?
// ob_start(); so I can have html headers on this page redirect later
// some other code
form action=page2.php method=get
?php
// The following line is where I think I've caused myself grief.
input type=text size=20 name=bozo
// many other lines of code
input type=submit name=submit value=Agree
?
On page 2:
?php session_start(); ob_start(); ?
// ob_start(); so I can have html headers on this page redirect later
// some other code
form action=page3php method=get
?php
$bozo = $_GET['bozo'];
/* Now is this correct? Am I exposing 'bozo' to a security hole? For the
rest of the script, with each $_GET['var'] from the previous page I do the
same. Somehow, I don't think I've grasped what to do with $vars. From my
reading elsewhere, should I, for example, in page 1 use something like
:
input type=text size=20 name=?php echo $_SESSION['bozo'] ?
Once I figure out how I'm supposed to write the variables in the scripts,
I'll be OK. But I'm so CONFUSED! */
if ($bozo == ) die (Please enter your 'First Name'. brbr Click
'Back in your browser to enter this information.);
// new input variable unique to page 2
input type=text size=20 name=dodo
// other code: including an if $level statement that checks for level of
registration and redirects, using header(location . . .)
session_write_close(); // to allow the header through
header(location:page 3.php);
?
On page 3:
?session_start(); ob_start(); ?
?php
/* This page is actually a confirmation page, I've tried to collect the info
from page 1 ($bozo) and page 2 ($dodo) and print them to screen as in */
$bozo = $_GET['bozo'];
$dodo = $_GET['dodo'];
print $bozo $dodo;
/* I've also tried $_SESSION['bozo'], $_GET['bozo'], left out the
'$bozo = $_GET['bozo']' etc, etc, etc. -- I don't know what I'm doing
here!! Help! ! */
?
{Btw, I've used bozo and dodo since it's easier to spot the diffference
than what I actually use for the field :]
Tia,
Andre
--
Please pray the Holy Rosary to end the holocaust of abortion.
Remember in your prayers the Holy Souls in Purgatory.
May God bless you abundantly in His love!
For a free Cenacle Scriptural Rosary Booklet: http://www.webhart.net/csrb/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Empty $_SESSION and $_POST ??
On Monday, April 22, 2002, at 03:47 PM, Andre Dubuc wrote:
I tried what you suggested, and indeed globals are off. Perhaps my
problem
stems from my use of the $_GET[] with $vars. I guess I don't really
understand what I'm doing. If you would take a peek at this code [I
think
I've introduced a security hole, and I'm mixing up things]:
I think the problem you're having is basically understanding what
register_globals does, and why some people might want to turn it off.
register_globals takes a variable (doesn't matter if it's a server
variable, a cookie variable, a post variable, or a get variable) and
registers it as global throughout the script. This means that if
someone types
http://www.domain.com/index.php?firstname=andrelastname=dubuc
into the Address bar of her browser, she has just requested the
index.php resource from the server at www.domain.com using the HTTP
protocol and sent two variables to the server using the GET method:
$firstname = 'andre'
$lastname = 'dubuc'
If you have register_globals turned on, then your script can look like
this:
if ($firstname == 'andre' $lastname == 'dubuc') {
// do something
}
and it still works. However, if you have register_globals turned off,
then the above 'if test' won't work. This is because these variables
are not $firstname and $lastname, they are $_GET['firstname'] and
$_GET['lastname']. To do an 'if test' with register_globals off, you
should do:
if ($_GET['firstname'] == 'andre' $_GET['lastname'] == 'dubuc') {
// do something
}
There's really not much of a difference. The thing is that instead of
being a global variable, the data that you passed is now an element of
the $_GET array. So you use the standard element notation, using the
associative index of the variable name.
If you do this:
$firstname = $_GET['firstname'];
$lastname = $_GET['lastname'];
...you make your code simpler to understand, but be careful that you
don't do something in the same script like
$lastname = $row['last_name'];
(which could happen if you were trying to simplify your MySQL result
data.)
I'll take a look at what you've got
On page 1:
?php session_start(); ob_start(); ?
// ob_start(); so I can have html headers on this page redirect later
// some other code
form action=page2.php method=get
?php
// The following line is where I think I've caused myself grief.
input type=text size=20 name=bozo
input type=submit name=submit value=Agree
?
Yeah, I'd say you've caused yourself some grief. This isn't even
related to register_globals -- you've got two HTML input tags in the
middle of your PHP block. You need to print() or echo these, not just
type them in directly.
print(input type='text' size='20' name='bozo' /);
print(input type='submit' name='submit' value='Agree');
$bozo = $_GET['bozo'];
/* Now is this correct? Am I exposing 'bozo' to a security hole? For
the
rest of the script, with each $_GET['var'] from the previous page I do
the
same. Somehow, I don't think I've grasped what to do with $vars. From my
reading elsewhere, should I, for example, in page 1 use something like
:
input type=text size=20 name=?php echo
$_SESSION['bozo'] ?
I prefer to do it the way that you have read elsewhere, but it really
doesn't matter. Either way, you have a variable in your script that
points to some user-specified data. What you've done is simplified the
results, similar to what some people do when they pull data out of a
result set with mysql_fetch_array(). The only security hole is if you
have written your script to do something unsafe with the $bozo variable.
HOWEVER... bear in mind that now that you are referring to this variable
in this fashion, you could end up inadvertently overwriting this
variable with a new variable, by doing something like
$bozo = $row['bozo'];
-- something that is far less likely to occur when referring to it as
$_GET['bozo'].
It really depends on how organized your code is. If I were you, I would
probably get into the habit of calling it $_GET['bozo'], since that just
saves you time and stress in the long run. The only security hole would
be this:
$_SESSION['admin'] = 'yes'; // indicates that user is an administrator
$admin = $_SESSION['admin']; // simplify our variable name
if ($admin == 'yes') { // if user is an administrator
// display some sensitive data
}
// for some stupid reason we do this
$admin = $_GET['admin']; // obviously you wouldn't do something like this
if ($admin == 'yes') {
// display some sensitive data
}
Essentially, in the above code, you've given the value of a GET variable
called admin the same power as a session variable called admin.
This is bad practice in general, and I'm sure you wouldn't make this
mistake.
Simply making $admin = $_SESSION['admin'] does NOT mean that someone can
type admin=yes into the querystring and automatically become the
admin, because register_globals is OFF -- this
Re: [PHP] Empty $_SESSION and $_POST ??
On Monday 22 April 2002 05:34 pm, you wrote:
On Monday, April 22, 2002, at 03:47 PM, Andre Dubuc wrote:
I tried what you suggested, and indeed globals are off. Perhaps my
problem
stems from my use of the $_GET[] with $vars. I guess I don't really
understand what I'm doing. If you would take a peek at this code [I
think
I've introduced a security hole, and I'm mixing up things]:
I think the problem you're having is basically understanding what
register_globals does, and why some people might want to turn it off.
register_globals takes a variable (doesn't matter if it's a server
variable, a cookie variable, a post variable, or a get variable) and
registers it as global throughout the script. This means that if
someone types
http://www.domain.com/index.php?firstname=andrelastname=dubuc
into the Address bar of her browser, she has just requested the
index.php resource from the server at www.domain.com using the HTTP
protocol and sent two variables to the server using the GET method:
$firstname = 'andre'
$lastname = 'dubuc'
If you have register_globals turned on, then your script can look like
this:
if ($firstname == 'andre' $lastname == 'dubuc') {
// do something
}
and it still works. However, if you have register_globals turned off,
then the above 'if test' won't work. This is because these variables
are not $firstname and $lastname, they are $_GET['firstname'] and
$_GET['lastname']. To do an 'if test' with register_globals off, you
should do:
if ($_GET['firstname'] == 'andre' $_GET['lastname'] == 'dubuc') {
// do something
}
There's really not much of a difference. The thing is that instead of
being a global variable, the data that you passed is now an element of
the $_GET array. So you use the standard element notation, using the
associative index of the variable name.
If you do this:
$firstname = $_GET['firstname'];
$lastname = $_GET['lastname'];
...you make your code simpler to understand, but be careful that you
don't do something in the same script like
$lastname = $row['last_name'];
(which could happen if you were trying to simplify your MySQL result
data.)
I'll take a look at what you've got
On page 1:
?php session_start(); ob_start(); ?
// ob_start(); so I can have html headers on this page redirect later
// some other code
form action=page2.php method=get
?php
// The following line is where I think I've caused myself grief.
input type=text size=20 name=bozo
input type=submit name=submit value=Agree
?
Yeah, I'd say you've caused yourself some grief. This isn't even
related to register_globals -- you've got two HTML input tags in the
middle of your PHP block. You need to print() or echo these, not just
type them in directly.
print(input type='text' size='20' name='bozo' /);
print(input type='submit' name='submit' value='Agree');
$bozo = $_GET['bozo'];
/* Now is this correct? Am I exposing 'bozo' to a security hole? For
the
rest of the script, with each $_GET['var'] from the previous page I do
the
same. Somehow, I don't think I've grasped what to do with $vars. From my
reading elsewhere, should I, for example, in page 1 use something like
input type=text size=20 name=?php echo
$_SESSION['bozo'] ?
I prefer to do it the way that you have read elsewhere, but it really
doesn't matter. Either way, you have a variable in your script that
points to some user-specified data. What you've done is simplified the
results, similar to what some people do when they pull data out of a
result set with mysql_fetch_array(). The only security hole is if you
have written your script to do something unsafe with the $bozo variable.
HOWEVER... bear in mind that now that you are referring to this variable
in this fashion, you could end up inadvertently overwriting this
variable with a new variable, by doing something like
$bozo = $row['bozo'];
-- something that is far less likely to occur when referring to it as
$_GET['bozo'].
It really depends on how organized your code is. If I were you, I would
probably get into the habit of calling it $_GET['bozo'], since that just
saves you time and stress in the long run. The only security hole would
be this:
$_SESSION['admin'] = 'yes'; // indicates that user is an administrator
$admin = $_SESSION['admin']; // simplify our variable name
if ($admin == 'yes') { // if user is an administrator
// display some sensitive data
}
// for some stupid reason we do this
$admin = $_GET['admin']; // obviously you wouldn't do something like this
if ($admin == 'yes') {
// display some sensitive data
}
Essentially, in the above code, you've given the value of a GET variable
called admin the same power as a session variable called admin.
This is bad practice in general, and I'm sure you wouldn't make this
mistake.
Simply making $admin = $_SESSION['admin'] does NOT mean that someone can
type
Re: [PHP] Empty $_SESSION and $_POST ??
On Fri, 19 Apr 2002, Andre Dubuc wrote:
Whenever I try:
print($_SESSION['sfname']); or print($_POST['scity']
I get a parse error expecting 'T_STRING' . . . -- obviously there's nothing
in the array or I haven't set it.
You just have a simple syntax error.
You can use any of the following:
print $_SESSION['sfname'];
print {$_SESSION['sfname']};
print ${_SESSION['sfname']};
But you can't put a bare array dereference inside a quoted string like you
tried above. You need to surround it with {curly braces} or take it
outside the quoted string.
miguel
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Empty $_SESSION and $_POST ??
On Friday 19 April 2002 08:13 pm, you wrote:
On Fri, 19 Apr 2002, Andre Dubuc wrote:
Whenever I try:
print($_SESSION['sfname']); or print($_POST['scity']
I get a parse error expecting 'T_STRING' . . . -- obviously there's
nothing in the array or I haven't set it.
You just have a simple syntax error.
You can use any of the following:
print $_SESSION['sfname'];
print {$_SESSION['sfname']};
print ${_SESSION['sfname']};
But you can't put a bare array dereference inside a quoted string like you
tried above. You need to surround it with {curly braces} or take it
outside the quoted string.
miguel
Hi Miguel,
I tried all three -- none work. I question whether register_globals is truly
off since, earlier when I changed php.ini it dumped my Postgresql and left
the phpinfo() unchanged. This time it reported the change, and Postgresql is
working.
Is there a way I can verify that (a) globals are off and (b) $_SESSION or
$_POST are on? This probably what's happening -- I can't access the arrays at
all -- so, I think that might be where the problem lies. The $vars still work
though throughout all scripts.
Any ideas?
Tia,
Andre
--
Please pray the Holy Rosary to end the holocaust of abortion.
Remember in your prayers the Holy Souls in Purgatory.
May God bless you abundantly in His love!
For a free Cenacle Scriptural Rosary Booklet: http://www.webhart.net/csrb/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Empty $_SESSION and $_POST ??
I'm running PHP 4.1.2 + Apache 1.3.23 + PostgreSQL 7.2.
I've tried reverting back to globals=on, and same problem. Yet, earlier in
another script I used $sfname = $_GET['sfname']; to get the value of sfname
-- now, it won't work. I'm truly stumped -- I don't know whether it's my
code? [I beginning to think it isn't because of the flakiness of the php.ini
failing to report changes accurately]
I've dumped PHP and re-installed it, but the same problem persists.
Now for the big question -- what's wrong with globals=on anyway? Eventually
the site will be public, and probably the host won't allow globals on, but
what's the security risk?
You say $_SESSION[] and $_POST[] are always on -- even if globals are on?
Can I verify what all the variables in the array are? Where would I look? By
the look of things, I've got a major problem -- but I don't know where to
look.
Help? Please?
Tia,
Andre
On Friday 19 April 2002 10:17 pm, you wrote:
I accidentally deleted your last message. But with current versions of
PHP, $_POST, etc., are always on and there's no way to turn them off.
Which version are you running? (check phpinfo()).
miguel
On Fri, 19 Apr 2002, Miguel Cruz wrote:
On Fri, 19 Apr 2002, Andre Dubuc wrote:
Whenever I try:
print($_SESSION['sfname']); or print($_POST['scity']
I get a parse error expecting 'T_STRING' . . . -- obviously there's
nothing in the array or I haven't set it.
You just have a simple syntax error.
You can use any of the following:
print $_SESSION['sfname'];
print {$_SESSION['sfname']};
print ${_SESSION['sfname']};
But you can't put a bare array dereference inside a quoted string like
you tried above. You need to surround it with {curly braces} or take it
outside the quoted string.
miguel
--
Please pray the Holy Rosary to end the holocaust of abortion.
Remember in your prayers the Holy Souls in Purgatory.
May God bless you abundantly in His love!
For a free Cenacle Scriptural Rosary Booklet: http://www.webhart.net/csrb/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Empty $_SESSION and $_POST ??
On Saturday 20 April 2002 09:41, Andre Dubuc wrote: Is there a way I can verify that (a) globals are off and (b) $_SESSION or $_POST are on? This probably what's happening -- I can't access the arrays at all -- so, I think that might be where the problem lies. The $vars still work though throughout all scripts. Use: print_r($GLOBALS); to see what variables you have. -- Jason Wong - Gremlins Associates - www.gremlins.com.hk Open Source Software Systems Integrators * Web Design Hosting * Internet Intranet Applications Development * /* Dr. Jekyll had something to Hyde. */ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
