Page 1 of 1

php 4.3.4 and register_globals = Off

Posted: Thu Feb 12, 2004 7:30 pm
by jeanloui
I'm switching from 4.1.2 (the version that I began from) to 4.3.4

Some of my old scrips does not run, mainly the ones that where sending data to himselfs via

Code: Select all

<form name="filtres" method="post" action="index.php?search=1&word=<? echo $word ?>">
* Is it "normal" or I have a bad install?

I have set the

Code: Select all

register_globals = Off
in php.ini and those scripts are running again.

But I know that there is a kind of security hole.

* What is the correct way for sending -and receiving- form data under 4.3.4, having register_globals = On?

* Is it possible to send LARGE number of variables -or a whole array- through the form-post-action method?

I will thank very much for the simplest examples, or a link to more complex or commented forms.

Posted: Thu Feb 12, 2004 7:33 pm
by markl999
Sure you have that the right way round? I'd expect the old script to work with register_globals On, not Off ?

If register_globals are Off then you just use $_GET['name'] where you would use $name (i.e in a url like ?name=foo )
The same applies to posted data from a form, use $_POST['name'] instead of $name.

http://php.net/variables.predefined provides some info

Posted: Thu Feb 12, 2004 7:47 pm
by jeanloui
Ah, yes, sorry: I must have now register_variables=On (this is the hole)
markl999 wrote: http://php.net/variables.predefined provides some info
I've been there and read all carefully (of course) but I don't reach to understand the method and I don't know if I must change ALL my form-based scripts...

Can you point me to some examples using the $_GET['name'] and $_POST['name'] ?

Thanks!

Posted: Thu Feb 12, 2004 7:56 pm
by markl999
Well, let's say you have this..

<form method="post" action="">
<input type="text" name="uname" value="" />
<input type="submit" name="submit" value="login" />
</form>

With register_globals On (the old way) you could just do ..
if($uname){
echo $uname;
}

the prefered way to do this is something like ..
if(!empty($_POST['uname'])){
echo $_POST['uname'];
}

If the form method was "get" then you'de just do the same but using $_GET instead of $_POST.

And yes, you will have to change all your scripts if you have globals Off, but if it's going to be really painful to change them all them you might want to consider http://php.net/extract so you could do ...
extract($_POST);
This will basically turn all the $_POST elements into variables, i.e $_POST['uname'] into $uname so you can still use the 'old way' of using $foo, $bar instead of $_POST['foo'] and $_POST['bar'] .. hope all this makes sense ;)

Posted: Thu Feb 12, 2004 8:05 pm
by jeanloui
markl999 wrote:you might want to consider http://php.net/extract
This is what I was needing !! (I guess)
I'll try to use this and report here if it works...

Thanks a LOT!

The script I'm trying to "save" from the 4.3.4 storm is at

http://imagicweb.com/dynamic/table.php

(still running under 4.1.2)