?
Solved

Changing to register_globals OFF

Posted on 2003-11-05
14
Medium Priority
?
271 Views
Last Modified: 2007-12-19
Right now my register_globals are ON, I heard this was a security risk because people could make fake passing vars in the URL and have the script think they auth'ed or something like that.


If I were to turn OFF register_globals, in my mysql_query() statements, where I use the forms names such as

INSERT INTO table (field) VALUES ($formfieldname)

would have to be

INSET INTO table (field) VALUES ($_POST[formfieldname])

?

And also,

$filetype = $_POST['filetype'];
     $_SESSION['search_filetype'] = $filetype;
     $filetype = $_SESSION['search_filetype'];

Like there, I'm trying to set the $filetype variable they want to search for as a session variable so they can go back and forth between the forms (like back and next buttons).

I'd like to know the most efficient ways of doing this, I'm fimilar with PHP now, just not with coding standards.
0
Comment
Question by:drakkarnoir
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 6
14 Comments
 
LVL 13

Expert Comment

by:lozloz
ID: 9689898
correct about the query and security risk except you need some concatenation:

$query = "INSERT INTO table (field) VALUES ('" . $_POST["formfieldname"] . "')";

to set the session variables all you need is $_SESSION["search_filetype"] = $filetype;

are you wondering if a session is the best way to do this or just how to set a session variable?

loz
0
 
LVL 1

Expert Comment

by:rstorey2079
ID: 9690320
Just as an addition to lozloz's comment -- when you go from register globals on to off, it affects variables used in the $_GET scope as well (if you have any of those).

0
 

Author Comment

by:drakkarnoir
ID: 9691057
Well I didn't use any GET methods at all, all POST's if any...

For loz, you said that I would have to do

$query = "INSERT INTO table (field) VALUES ('" . $_POST["formfieldname"] . "')";

That value string is really ugly, is there a way around this? Or do I have to do it like this with the concatnating and all...
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 13

Expert Comment

by:lozloz
ID: 9691085
why does your code need to look beautiful? :p you could try

$query = "INSERT INTO table (field) VALUES ('$_POST[formfieldname]')";

if you want but i'm not sure if it'll work seeing as the index is a string

loz
0
 

Author Comment

by:drakkarnoir
ID: 9691179
Index is a string? Hehe I just meant is it possible for me to do:

$fieldname = "$_POST[formfieldname]";

$query = "INSERT INTO TABLE (field) VALUES ($fieldname)";

?
0
 

Author Comment

by:drakkarnoir
ID: 9691264
And finally, how will my copy function change?

Current I have:

copy("filename1","filename1");

Corresponding to filename1 in the file input from the previous form. I tried changing it to:

copy("$_FILES[filename1]","$_FILES[filename1]");

But it just kept giving me Array[a] ok as a result.
0
 
LVL 13

Expert Comment

by:lozloz
ID: 9691273
oh yeh, but you should have:

$fieldname = $_POST["formfieldname"];

loz
0
 
LVL 13

Expert Comment

by:lozloz
ID: 9691297
well $_FILES["filename1"] will hold an array of the information about the file

tmp_name is the temporary name of it, name is the actual name, type is the mime type, size is its size in bytes, error is the assocatied error code

so these are accessed through $_FILES["filename1"]["tmp_name"] etc.

so you probably want something like:

copy($_FILES["filename1"]["tmp_name"],"../images/" . $_FILES["filename1"]["name"]);

you'll probably want to change the directory information for the 2nd half of the function

loz
0
 

Author Comment

by:drakkarnoir
ID: 9691310
Why did I not have to do tmp_name before with register_globals on?
0
 
LVL 13

Expert Comment

by:lozloz
ID: 9691324
copy("filename1","filename1");

if that code's correct then you're simply copying the file called filename1 over itself?

loz
0
 

Author Comment

by:drakkarnoir
ID: 9691382
Nope, I'm getting the filename1 from the upload form, and then putting it in the hosting directory as the filename1
0
 

Author Comment

by:drakkarnoir
ID: 9691393
Also, I had this before:

$img2_name = str_replace(" ","",$img2_name);
                  $img2_name = str_replace("'","",$img2_name);
                  $img2_name = str_replace("(","",$img2_name);
                  $img2_name = str_replace(")","",$img2_name);
                  $img2_name = str_replace("\\","",$img2_name);

That was done basically to elimate nasty characters in the filename before uploading...

How would this change? Can I define the $_FILES[img2][name] array element?
0
 
LVL 13

Accepted Solution

by:
lozloz earned 2000 total points
ID: 9691440
just add a line before as follows:

$img2_name = $_FILES["img2"]["name"];

and if you were getting filename1 from an upload form then that code must have been different, maybe you forgot the $ because those are just 2 strings in the copy function

loz
0
 

Author Comment

by:drakkarnoir
ID: 9692349
Thanks so much for explaining, I was worried because I had read on the PHP.net site that it was insecure and that's why they made it default OFF.

Rock on.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article discusses how to create an extensible mechanism for linked drop downs.
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
The viewer will learn how to dynamically set the form action using jQuery.
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question