Solved

Changing to register_globals OFF

Posted on 2003-11-05
14
267 Views
Last Modified: 2007-12-19
Right now my register_globals are ON, I heard this was a security risk because people could make fake passing vars in the URL and have the script think they auth'ed or something like that.


If I were to turn OFF register_globals, in my mysql_query() statements, where I use the forms names such as

INSERT INTO table (field) VALUES ($formfieldname)

would have to be

INSET INTO table (field) VALUES ($_POST[formfieldname])

?

And also,

$filetype = $_POST['filetype'];
     $_SESSION['search_filetype'] = $filetype;
     $filetype = $_SESSION['search_filetype'];

Like there, I'm trying to set the $filetype variable they want to search for as a session variable so they can go back and forth between the forms (like back and next buttons).

I'd like to know the most efficient ways of doing this, I'm fimilar with PHP now, just not with coding standards.
0
Comment
Question by:drakkarnoir
  • 7
  • 6
14 Comments
 
LVL 13

Expert Comment

by:lozloz
ID: 9689898
correct about the query and security risk except you need some concatenation:

$query = "INSERT INTO table (field) VALUES ('" . $_POST["formfieldname"] . "')";

to set the session variables all you need is $_SESSION["search_filetype"] = $filetype;

are you wondering if a session is the best way to do this or just how to set a session variable?

loz
0
 
LVL 1

Expert Comment

by:rstorey2079
ID: 9690320
Just as an addition to lozloz's comment -- when you go from register globals on to off, it affects variables used in the $_GET scope as well (if you have any of those).

0
 

Author Comment

by:drakkarnoir
ID: 9691057
Well I didn't use any GET methods at all, all POST's if any...

For loz, you said that I would have to do

$query = "INSERT INTO table (field) VALUES ('" . $_POST["formfieldname"] . "')";

That value string is really ugly, is there a way around this? Or do I have to do it like this with the concatnating and all...
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 13

Expert Comment

by:lozloz
ID: 9691085
why does your code need to look beautiful? :p you could try

$query = "INSERT INTO table (field) VALUES ('$_POST[formfieldname]')";

if you want but i'm not sure if it'll work seeing as the index is a string

loz
0
 

Author Comment

by:drakkarnoir
ID: 9691179
Index is a string? Hehe I just meant is it possible for me to do:

$fieldname = "$_POST[formfieldname]";

$query = "INSERT INTO TABLE (field) VALUES ($fieldname)";

?
0
 

Author Comment

by:drakkarnoir
ID: 9691264
And finally, how will my copy function change?

Current I have:

copy("filename1","filename1");

Corresponding to filename1 in the file input from the previous form. I tried changing it to:

copy("$_FILES[filename1]","$_FILES[filename1]");

But it just kept giving me Array[a] ok as a result.
0
 
LVL 13

Expert Comment

by:lozloz
ID: 9691273
oh yeh, but you should have:

$fieldname = $_POST["formfieldname"];

loz
0
 
LVL 13

Expert Comment

by:lozloz
ID: 9691297
well $_FILES["filename1"] will hold an array of the information about the file

tmp_name is the temporary name of it, name is the actual name, type is the mime type, size is its size in bytes, error is the assocatied error code

so these are accessed through $_FILES["filename1"]["tmp_name"] etc.

so you probably want something like:

copy($_FILES["filename1"]["tmp_name"],"../images/" . $_FILES["filename1"]["name"]);

you'll probably want to change the directory information for the 2nd half of the function

loz
0
 

Author Comment

by:drakkarnoir
ID: 9691310
Why did I not have to do tmp_name before with register_globals on?
0
 
LVL 13

Expert Comment

by:lozloz
ID: 9691324
copy("filename1","filename1");

if that code's correct then you're simply copying the file called filename1 over itself?

loz
0
 

Author Comment

by:drakkarnoir
ID: 9691382
Nope, I'm getting the filename1 from the upload form, and then putting it in the hosting directory as the filename1
0
 

Author Comment

by:drakkarnoir
ID: 9691393
Also, I had this before:

$img2_name = str_replace(" ","",$img2_name);
                  $img2_name = str_replace("'","",$img2_name);
                  $img2_name = str_replace("(","",$img2_name);
                  $img2_name = str_replace(")","",$img2_name);
                  $img2_name = str_replace("\\","",$img2_name);

That was done basically to elimate nasty characters in the filename before uploading...

How would this change? Can I define the $_FILES[img2][name] array element?
0
 
LVL 13

Accepted Solution

by:
lozloz earned 500 total points
ID: 9691440
just add a line before as follows:

$img2_name = $_FILES["img2"]["name"];

and if you were getting filename1 from an upload form then that code must have been different, maybe you forgot the $ because those are just 2 strings in the copy function

loz
0
 

Author Comment

by:drakkarnoir
ID: 9692349
Thanks so much for explaining, I was worried because I had read on the PHP.net site that it was insecure and that's why they made it default OFF.

Rock on.
0

Featured Post

Creating Instructional Tutorials  

For Any Use & On Any Platform

Contextual Guidance at the moment of need helps your employees/users adopt software o& achieve even the most complex tasks instantly. Boost knowledge retention, software adoption & employee engagement with easy solution.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I imagine that there are some, like me, who require a way of getting currency exchange rates for implementation in web project from time to time, so I thought I would share a solution that I have developed for this purpose. It turns out that Yaho…
Developers of all skill levels should learn to use current best practices when developing websites. However many developers, new and old, fall into the trap of using deprecated features because this is what so many tutorials and books tell them to u…
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
The viewer will learn how to dynamically set the form action using jQuery.

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question