Page 1 of 1

very strange to me anyone know why this happend?

Posted: Mon Dec 11, 2006 2:53 am
by ianhull
I have just setup a new server IIS6, PHP5x MySQL5.20,

I have posted some data to a php update script

Code: Select all

<?php session_start();

if (empty($_SESSION['myuser_name'])){
echo '<meta http-equiv="refresh" content="0;URL=../index.php" />';
exit();
}

include_once("../includes/connection.php");

$updateProfile = mysql_query("UPDATE users SET email = '$email', live_id = '$live_id', telephone_1 = '$telephone_1', telephone_2 = '$telephone_1', mobile_1 = '$mobile_1',  mobile_2 = '$mobile_2', pager = '$pager'") or die(mysql_error());

?>
But I have not setup variables to retrieve the data like

Code: Select all

$email = $_POST['email'];
but yet my records were updated.

Anyone know why this has happend?

Is it some server settings?

Thanks

Posted: Mon Dec 11, 2006 3:08 am
by dibyendrah
It seems that register global is on.
Edit your php.ini and set

Code: Select all

register_globals = off
And restart the web server to see the effect.

Hope that works.

Posted: Mon Dec 11, 2006 3:14 am
by ianhull
Thanks for that,

One other thing, does it matter if register globals is on?

Does this allow me to post data like this without using the request from post?

any known issue with posting data like this?

Thanks

Posted: Mon Dec 11, 2006 3:45 am
by feyd
The mere fact that it can be turned off would suggest you shouldn't rely on it being on. Secondly, it defaults to off in later versions of PHP. Third, PHP 6 marks the removal of it all together if memory serves.

Posted: Mon Dec 11, 2006 3:49 am
by s.dot
ianhull wrote:any known issue with posting data like this?
Security issues with poorly written scripts, or scripts that are not well thought of.

Posted: Mon Dec 11, 2006 4:55 am
by dibyendrah
ianhull wrote:Thanks for that,

One other thing, does it matter if register globals is on?

Does this allow me to post data like this without using the request from post?

any known issue with posting data like this?

Thanks
It might be but looking at your code that might have happened because you're not taking POST, GET but it's taking some other global values. So, try with setting register_global off.

Posted: Mon Dec 11, 2006 5:23 am
by aaronhall
As a side note, it's more reliable to use

Code: Select all

header("Location: foobar.php");
instead of a meta redirect tag.

Posted: Mon Dec 11, 2006 10:39 am
by feyd
aaronhall wrote:As a side note, it's more reliable to use

Code: Select all

header("Location: foobar.php");
instead of a meta redirect tag.
Just remember to use a full URL. ;)

Posted: Mon Dec 11, 2006 10:44 pm
by dibyendrah
feyd wrote:
aaronhall wrote:As a side note, it's more reliable to use

Code: Select all

header("Location: foobar.php");
instead of a meta redirect tag.
Just remember to use a full URL. ;)
If the path is relative, do we need to give full URL ?

Posted: Mon Dec 11, 2006 11:10 pm
by feyd
Always. 100% of the time if you want to conform the the HTTP specification.