Re: [PHP] overwriting PHP_SELF and PHP_AUTH_xxxx
I have a special set of information retrieved from a while loop that I would
like a person to be able to edit and send back into a MySQL table.
I know all of the basic MySQL commands for doing such, but the PHP side to
get the input from the form to go in is really stumping me.
This is what I have:
-
$or = 0;
while($or $orderidrows) {
$orderinfo = mysql_fetch_row($orderidinfo);
$domain[$or] = $orderinfo[2];
$cancel[$or] = $orderinfo[3];
print trtdfont size=2 face=Arial $domain[$or]/font/tdtdfont
size=2 face=ArialCancel This Domain?/font/tdtdfont size=2
face=Arialinput type=text name=confirm value='$cancel[$or]'
size=3/font/td;
$or++;
}
--
The values/data I would normally insert into the MySQL from the form would be
$confirm, based on $domain - however, in this case, I have a number of rows
with the same
name. I've received help as far as distinguishing one row from another -
thanks. :)
The problem I am really having is trying to insert the data back into one
particular table. You see, when I select the data, I get multiple
orderid's with multiple domains attached to them. When I try to UPDATE the
MySQL with the data, only the last orderid seems to be the one getting
updated. And, to boot, I want to update based on the domain name (since
that is unique) and ignore the orderids. I only used the orderids to pull
the data out.
So, I've been using a query like this in a loop;
$update = UPDATE table2 SET cancel='$cancel[$a]' WHERE domain = $domain[$a]
Any suggestions? I'm getting pretty desparate here! :\
Thanks,
-Mike
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] overwriting PHP_SELF and PHP_AUTH_xxxx
Forgive me if I'm treating pseudo as real but surely
print trtd ... value='$cancel[$or]' ... /td;
should be
print trtd ... value='{$cancel[$or]}' ... /td;
same goes for the array element in the sql statement
Tim Ward
Internet chess www.chessish.com http://www.chessish.com
--
From: Michael Romagnoli [SMTP:[EMAIL PROTECTED]]
Sent: 22 February 2002 12:21
To: [EMAIL PROTECTED]
Subject: Re: [PHP] overwriting PHP_SELF and PHP_AUTH_
I have a special set of information retrieved from a while loop that
I would
like a person to be able to edit and send back into a MySQL table.
I know all of the basic MySQL commands for doing such, but the PHP
side to
get the input from the form to go in is really stumping me.
This is what I have:
-
$or = 0;
while($or $orderidrows) {
$orderinfo = mysql_fetch_row($orderidinfo);
$domain[$or] = $orderinfo[2];
$cancel[$or] = $orderinfo[3];
print trtdfont size=2 face=Arial
$domain[$or]/font/tdtdfont
size=2 face=ArialCancel This Domain?/font/tdtdfont size=2
face=Arialinput type=text name=confirm value='$cancel[$or]'
size=3/font/td;
$or++;
}
--
The values/data I would normally insert into the MySQL from the form
would be
$confirm, based on $domain - however, in this case, I have a number
of rows
with the same
name. I've received help as far as distinguishing one row from
another -
thanks. :)
The problem I am really having is trying to insert the data back
into one
particular table. You see, when I select the data, I get multiple
orderid's with multiple domains attached to them. When I try to
UPDATE the
MySQL with the data, only the last orderid seems to be the one
getting
updated. And, to boot, I want to update based on the domain name
(since
that is unique) and ignore the orderids. I only used the orderids
to pull
the data out.
So, I've been using a query like this in a loop;
$update = UPDATE table2 SET cancel='$cancel[$a]' WHERE domain =
$domain[$a]
Any suggestions? I'm getting pretty desparate here! :\
Thanks,
-Mike
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] overwriting PHP_SELF and PHP_AUTH_xxxx
On Thu, 2002-02-21 at 22:31, K.Tomono wrote: Hi there. This must be a curious question, but I want to know... Globals, and register_globals = on, are insecure for exactly this reason. This is why new versions of PHP will default to register_globals = off, and why it's a good idea to use register_globals = off in any case. For more discussion of this issue, please read the following: http://www.php.net/release_4_1_0.php Cheers, Torben Recently I've checked several globals, how it is overwritten. the globals are $PHP_SELF and $PHP_AUTH_USER. the first time, $PHP_AUTH_USER. This is overwritten by the http GET values when such a following uri. (and Post will be so.) http://foo.bar.com/test.php3?PHP_AUTH_USER=CRACK This case is tested under PHP Version 3.0.18-i18n-ja-2. but is not overwritten under PHP Version 4.0.3pl1 the second, $PHP_SELF. This is not overwritten by the http GET values when such a following uri. http://foo.bar.com/test.php3?PHP_SELF=CRACK.php This is true both under PHP Version 4.0.3pl1 and PHP Version 3.0.18-i18n-ja-2 the difference is probably that PHP_AUTH_USER is value from http request originally (=Authorization header), but PHP_SELF is server side, I think. though, such above behavior with each global is the intended spec of PHP? Or Simply by the order of the evaluation in internal for these values? I tested with my test servers. my test server configuration, php.ini is defined with each PHP3: register_globals (none. not defined.) PHP4: register_globals = on I've cheked with phpinfo() also. Any opinion will be appreciated. Thanks. --- K.Tomono -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- Torben Wilson [EMAIL PROTECTED] http://www.thebuttlesschaps.com http://www.hybrid17.com http://www.inflatableeye.com +1.604.709.0506 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] overwriting PHP_SELF and PHP_AUTH_xxxx
For more discussion of this issue, please read the following: http://www.php.net/release_4_1_0.php Thanks Lars Torben, but one more question please. There is "variables_order" in php.ini, Is this very important thing concerned with this issue? Regards :) K.Tomono -Original Message- From: Lars Torben Wilson [mailto:[EMAIL PROTECTED]]On Behalf Of Lars Torben Wilson Sent: Friday, February 22, 2002 3:40 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: [PHP] overwriting PHP_SELF and PHP_AUTH_ On Thu, 2002-02-21 at 22:31, K.Tomono wrote: Hi there. This must be a curious question, but I want to know... Globals, and register_globals = on, are insecure for exactly this reason. This is why new versions of PHP will default to register_globals = off, and why it's a good idea to use register_globals = off in any case. For more discussion of this issue, please read the following: http://www.php.net/release_4_1_0.php Cheers, Torben Recently I've checked several globals, how it is overwritten. the globals are $PHP_SELF and $PHP_AUTH_USER. the first time, $PHP_AUTH_USER. This is overwritten by the http GET values when such a following uri. (and Post will be so.) http://foo.bar.com/test.php3?PHP_AUTH_USER=CRACK This case is tested under PHP Version 3.0.18-i18n-ja-2. but is not overwritten under PHP Version 4.0.3pl1 the second, $PHP_SELF. This is not overwritten by the http GET values when such a following uri. http://foo.bar.com/test.php3?PHP_SELF=CRACK.php This is true both under PHP Version 4.0.3pl1 and PHP Version 3.0.18-i18n-ja-2 the difference is probably that PHP_AUTH_USER is value from http request originally (="Authorization" header), but PHP_SELF is server side, I think. though, such above behavior with each global is the intended spec of PHP? Or Simply by the order of the evaluation in internal for these values? I tested with my test servers. my test server configuration, php.ini is defined with each PHP3: register_globals (none. not defined.) PHP4: register_globals = on I've cheked with phpinfo() also. Any opinion will be appreciated. Thanks. --- K.Tomono -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- Torben Wilson [EMAIL PROTECTED] http://www.thebuttlesschaps.com http://www.hybrid17.com http://www.inflatableeye.com +1.604.709.0506 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] overwriting PHP_SELF and PHP_AUTH_xxxx
Well, in this particular case it really makes no difference as PHP_AUTH_* is data that comes from the user anyway. Whether it is sent in the GET-method data or in the Authenticate header is completely irrelevant and turning register_globals off does not make any difference whatsoever. The reason in this particular case that PHP_SELF could not be overwritten was that the internal value overwrote the injected one. For PHP_AUTH_* you probably didn't provide an Authenticate header so the GET-method version of the data was taken. Had you provided the Authenticate header in the request then that version would have overridden the GET-method version. However since both sets come from the user, they are equally hackable and you'd need to send the correct PHP_AUTH_USER and PHP_AUTH_PWD values in the GET-method data anyway. If you know the username and password, you might as well just log in normally. But yes, in recent versions of PHP you are not able to overwrite these values with GET-method data precisely because people overreact to situations like this without really thinking about it logically. There are some built-in variables that, if overwritten, would actually be able to cause security problems. Old versions of PHP had an issue related to this with the file upload vars. So not all of this is unfounded paranoia. And in this particular case for built-in variables like this, variables_order does not really affect anything since there is no entry for built-in vars in that order. Of course, if you removed G from the variables_order then you couldn't overwrite anything with GET-method data, but you could of course inject the same data via any of the other methods. -Rasmus On 21 Feb 2002, Lars Torben Wilson wrote: On Thu, 2002-02-21 at 22:31, K.Tomono wrote: Hi there. This must be a curious question, but I want to know... Globals, and register_globals = on, are insecure for exactly this reason. This is why new versions of PHP will default to register_globals = off, and why it's a good idea to use register_globals = off in any case. For more discussion of this issue, please read the following: http://www.php.net/release_4_1_0.php Cheers, Torben Recently I've checked several globals, how it is overwritten. the globals are $PHP_SELF and $PHP_AUTH_USER. the first time, $PHP_AUTH_USER. This is overwritten by the http GET values when such a following uri. (and Post will be so.) http://foo.bar.com/test.php3?PHP_AUTH_USER=CRACK This case is tested under PHP Version 3.0.18-i18n-ja-2. but is not overwritten under PHP Version 4.0.3pl1 the second, $PHP_SELF. This is not overwritten by the http GET values when such a following uri. http://foo.bar.com/test.php3?PHP_SELF=CRACK.php This is true both under PHP Version 4.0.3pl1 and PHP Version 3.0.18-i18n-ja-2 the difference is probably that PHP_AUTH_USER is value from http request originally (=Authorization header), but PHP_SELF is server side, I think. though, such above behavior with each global is the intended spec of PHP? Or Simply by the order of the evaluation in internal for these values? I tested with my test servers. my test server configuration, php.ini is defined with each PHP3: register_globals (none. not defined.) PHP4: register_globals = on I've cheked with phpinfo() also. Any opinion will be appreciated. Thanks. --- K.Tomono -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- Torben Wilson [EMAIL PROTECTED] http://www.thebuttlesschaps.com http://www.hybrid17.com http://www.inflatableeye.com +1.604.709.0506 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
