php 4.3.4 and register_globals = Off

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
jeanloui
Forum Commoner
Posts: 36
Joined: Fri Sep 26, 2003 2:38 pm
Location: Girona (Europe)

php 4.3.4 and register_globals = Off

Post by jeanloui »

I'm switching from 4.1.2 (the version that I began from) to 4.3.4

Some of my old scrips does not run, mainly the ones that where sending data to himselfs via

Code: Select all

<form name="filtres" method="post" action="index.php?search=1&word=<? echo $word ?>">
* Is it "normal" or I have a bad install?

I have set the

Code: Select all

register_globals = Off
in php.ini and those scripts are running again.

But I know that there is a kind of security hole.

* What is the correct way for sending -and receiving- form data under 4.3.4, having register_globals = On?

* Is it possible to send LARGE number of variables -or a whole array- through the form-post-action method?

I will thank very much for the simplest examples, or a link to more complex or commented forms.
User avatar
markl999
DevNet Resident
Posts: 1972
Joined: Thu Oct 16, 2003 5:49 pm
Location: Manchester (UK)

Post by markl999 »

Sure you have that the right way round? I'd expect the old script to work with register_globals On, not Off ?

If register_globals are Off then you just use $_GET['name'] where you would use $name (i.e in a url like ?name=foo )
The same applies to posted data from a form, use $_POST['name'] instead of $name.

http://php.net/variables.predefined provides some info
User avatar
jeanloui
Forum Commoner
Posts: 36
Joined: Fri Sep 26, 2003 2:38 pm
Location: Girona (Europe)

Post by jeanloui »

Ah, yes, sorry: I must have now register_variables=On (this is the hole)
markl999 wrote: http://php.net/variables.predefined provides some info
I've been there and read all carefully (of course) but I don't reach to understand the method and I don't know if I must change ALL my form-based scripts...

Can you point me to some examples using the $_GET['name'] and $_POST['name'] ?

Thanks!
User avatar
markl999
DevNet Resident
Posts: 1972
Joined: Thu Oct 16, 2003 5:49 pm
Location: Manchester (UK)

Post by markl999 »

Well, let's say you have this..

<form method="post" action="">
<input type="text" name="uname" value="" />
<input type="submit" name="submit" value="login" />
</form>

With register_globals On (the old way) you could just do ..
if($uname){
echo $uname;
}

the prefered way to do this is something like ..
if(!empty($_POST['uname'])){
echo $_POST['uname'];
}

If the form method was "get" then you'de just do the same but using $_GET instead of $_POST.

And yes, you will have to change all your scripts if you have globals Off, but if it's going to be really painful to change them all them you might want to consider http://php.net/extract so you could do ...
extract($_POST);
This will basically turn all the $_POST elements into variables, i.e $_POST['uname'] into $uname so you can still use the 'old way' of using $foo, $bar instead of $_POST['foo'] and $_POST['bar'] .. hope all this makes sense ;)
User avatar
jeanloui
Forum Commoner
Posts: 36
Joined: Fri Sep 26, 2003 2:38 pm
Location: Girona (Europe)

Post by jeanloui »

markl999 wrote:you might want to consider http://php.net/extract
This is what I was needing !! (I guess)
I'll try to use this and report here if it works...

Thanks a LOT!

The script I'm trying to "save" from the 4.3.4 storm is at

http://imagicweb.com/dynamic/table.php

(still running under 4.1.2)
Post Reply