Re: [PHP] PHP 4.2.2 vs PHP 4.0.6

2002-10-03 Thread Steve Yates

> From: Alex Shi [mailto:[EMAIL PROTECTED]]
> 1. why PHP changed the way to access submitted vars;

Because if you use a hidden variable like $validuser='yes' inside your
script you probably forgot to check whether the user did this:

www.eol.ca/page.php?validuser=yes

> 2. any good suggestion to avoid this problem, such as that is it possible
> to configure 4.2.2 to compatible downward.

extract($HTTP_POST_VARS) will create all variables from that array.

 - Steve Yates
 - An unbreakable toy is only useful for breaking other toys.

~ Do you like my taglines? Add them to your messages and
~ laugh through hundreds more by downloading Taglinator
~ at www.srtware.com today!




-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




Re: [PHP] PHP 4.2.2 vs PHP 4.0.6

2002-10-01 Thread Mike Dunlop

That's because in the newer versions of php the register globals 
directive is set to off by default...If you turn that directive on 
and then restart apache, you will be able address GET/POST vars 
normally (by their identical var name)

  - Mike D


>Hi,
>
>I didn't realized that PHP had been going so fast that it was creating
>problems for compatiblility.
>
>Here is my situation: PHP on my development server is 4.0.6 while
>on the application server it is PHP 4.2.2. I bet you all know that there's
>a huge basic differences between the two but I don't know them!
>In PHP 4.2.2, variables passed by either GET or POST method can
>not be accessed straitforwardly by their name, you have to fetch them
>from $HTTP_POST_VARS or $HTTP_GET_VARS. To my understanding,
>directly using submitted variables by their name is one of the basic great
>PHP features, and I always use vars in this way. However, you can
>imagine that, recently due to the PHP upgrading I got bunch of problems
>when deploying.
>
>What I want to know are:
>1. why PHP changed the way to access submitted vars;
>2. any good suggestion to avoid this problem, such as that is it possible
>to configure 4.2.2 to compatible downward.
>
>Thanks!
>
>Alex Shi
>
>BTW: my development server is RH Linux 7.1 so cannot upgrade PHP
>to 4.2.2.
>
>
>
>--
>---
>TrafficBuilder Network:
>http://www.bestadv.net/index.cfm?ref=7029
>
>
>--
>PHP General Mailing List (http://www.php.net/)
>To unsubscribe, visit: http://www.php.net/unsub.php


-- 
Mike Dunlop
Webmaster
Animation World Network
[EMAIL PROTECTED]
http://www.awn.com
(323) 606-4238 office
(323) 466-6619 fax
6525 Sunset Blvd.  GS10 Los Angeles, CA  90028
USA


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




Re: [PHP] PHP 4.2.2 vs PHP 4.0.6

2002-10-01 Thread Alex Shi

THanks!



"John W. Holmes" <[EMAIL PROTECTED]> wrote in message
000f01c269a4$a7329be0$7c02a8c0@coconut">news:000f01c269a4$a7329be0$7c02a8c0@coconut...
> > I didn't realized that PHP had been going so fast that it was creating
> > problems for compatiblility.
> >
> > Here is my situation: PHP on my development server is 4.0.6 while
> > on the application server it is PHP 4.2.2. I bet you all know that
> there's
> > a huge basic differences between the two but I don't know them!
> > In PHP 4.2.2, variables passed by either GET or POST method can
> > not be accessed straitforwardly by their name, you have to fetch them
> > from $HTTP_POST_VARS or $HTTP_GET_VARS. To my understanding,
> > directly using submitted variables by their name is one of the basic
> great
> > PHP features, and I always use vars in this way. However, you can
> > imagine that, recently due to the PHP upgrading I got bunch of
> problems
> > when deploying.
> >
> > What I want to know are:
> > 1. why PHP changed the way to access submitted vars;
>
> PHP wasn't changed, it just changed the default of one configuration in
> php.ini. Set your register_globals back to ON and things are just as
> they were in the past.
>
> It was changed to stop poorly written code from having as many security
> issues. If you use a variable $var, you have no idea if it came from the
> user, session, cookie, or from the script. You have to remember it
> yourself. So, you may assume your script made $var, but it really came
> from the URL. Using $_GET['var'] lets you know for sure that that value
> came from the url. With register_globals off, you know $var was created
> from within your scripts and cannot of came from a user.
>
> > 2. any good suggestion to avoid this problem, such as that is it
> possible
> > to configure 4.2.2 to compatible downward.
>
> register_globals = On
>
> ---John Holmes...
>
>


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




RE: [PHP] PHP 4.2.2 vs PHP 4.0.6

2002-10-01 Thread John W. Holmes

> I didn't realized that PHP had been going so fast that it was creating
> problems for compatiblility.
> 
> Here is my situation: PHP on my development server is 4.0.6 while
> on the application server it is PHP 4.2.2. I bet you all know that
there's
> a huge basic differences between the two but I don't know them!
> In PHP 4.2.2, variables passed by either GET or POST method can
> not be accessed straitforwardly by their name, you have to fetch them
> from $HTTP_POST_VARS or $HTTP_GET_VARS. To my understanding,
> directly using submitted variables by their name is one of the basic
great
> PHP features, and I always use vars in this way. However, you can
> imagine that, recently due to the PHP upgrading I got bunch of
problems
> when deploying.
> 
> What I want to know are:
> 1. why PHP changed the way to access submitted vars;

PHP wasn't changed, it just changed the default of one configuration in
php.ini. Set your register_globals back to ON and things are just as
they were in the past. 

It was changed to stop poorly written code from having as many security
issues. If you use a variable $var, you have no idea if it came from the
user, session, cookie, or from the script. You have to remember it
yourself. So, you may assume your script made $var, but it really came
from the URL. Using $_GET['var'] lets you know for sure that that value
came from the url. With register_globals off, you know $var was created
from within your scripts and cannot of came from a user.

> 2. any good suggestion to avoid this problem, such as that is it
possible
> to configure 4.2.2 to compatible downward.

register_globals = On

---John Holmes...



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




RE: [PHP] PHP 4.2.2 vs PHP 4.0.6

2002-10-01 Thread Jarrad Kabral

Alex

You can change back to the old way of parsing vars by simply changing the
"register_globals" setting to "on" in your PHP config. Though this is
certainly not recommended (mainly for security concerns).

Good PHP coding practice suggests that you use superglobals when you wish to
access session, cookie, post, get or environment variables.

This URL will explain everything
http://www.zend.com/zend/art/art-sweat4.php



Regards

Jarrad Kabral




-Original Message-
From: Alex Shi [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, 2 October 2002 9:29 AM
To: [EMAIL PROTECTED]
Subject: [PHP] PHP 4.2.2 vs PHP 4.0.6


Hi,

I didn't realized that PHP had been going so fast that it was creating 
problems for compatiblility. 

Here is my situation: PHP on my development server is 4.0.6 while
on the application server it is PHP 4.2.2. I bet you all know that there's 
a huge basic differences between the two but I don't know them!
In PHP 4.2.2, variables passed by either GET or POST method can
not be accessed straitforwardly by their name, you have to fetch them
from $HTTP_POST_VARS or $HTTP_GET_VARS. To my understanding,
directly using submitted variables by their name is one of the basic great 
PHP features, and I always use vars in this way. However, you can 
imagine that, recently due to the PHP upgrading I got bunch of problems
when deploying.

What I want to know are:
1. why PHP changed the way to access submitted vars;
2. any good suggestion to avoid this problem, such as that is it possible 
to configure 4.2.2 to compatible downward.

Thanks!

Alex Shi

BTW: my development server is RH Linux 7.1 so cannot upgrade PHP
to 4.2.2.



-- 
---
TrafficBuilder Network: 
http://www.bestadv.net/index.cfm?ref=7029


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php