Changing to register_globals OFF

Right now my register_globals are ON, I heard this was a security risk because people could make fake passing vars in the URL and have the script think they auth'ed or something like that.


If I were to turn OFF register_globals, in my mysql_query() statements, where I use the forms names such as

INSERT INTO table (field) VALUES ($formfieldname)

would have to be

INSET INTO table (field) VALUES ($_POST[formfieldname])

?

And also,

$filetype = $_POST['filetype'];
     $_SESSION['search_filetype'] = $filetype;
     $filetype = $_SESSION['search_filetype'];

Like there, I'm trying to set the $filetype variable they want to search for as a session variable so they can go back and forth between the forms (like back and next buttons).

I'd like to know the most efficient ways of doing this, I'm fimilar with PHP now, just not with coding standards.
drakkarnoirAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

lozlozCommented:
correct about the query and security risk except you need some concatenation:

$query = "INSERT INTO table (field) VALUES ('" . $_POST["formfieldname"] . "')";

to set the session variables all you need is $_SESSION["search_filetype"] = $filetype;

are you wondering if a session is the best way to do this or just how to set a session variable?

loz
0
rstorey2079Commented:
Just as an addition to lozloz's comment -- when you go from register globals on to off, it affects variables used in the $_GET scope as well (if you have any of those).

0
drakkarnoirAuthor Commented:
Well I didn't use any GET methods at all, all POST's if any...

For loz, you said that I would have to do

$query = "INSERT INTO table (field) VALUES ('" . $_POST["formfieldname"] . "')";

That value string is really ugly, is there a way around this? Or do I have to do it like this with the concatnating and all...
0
Become a Microsoft Certified Solutions Expert

This course teaches how to install and configure Windows Server 2012 R2.  It is the first step on your path to becoming a Microsoft Certified Solutions Expert (MCSE).

lozlozCommented:
why does your code need to look beautiful? :p you could try

$query = "INSERT INTO table (field) VALUES ('$_POST[formfieldname]')";

if you want but i'm not sure if it'll work seeing as the index is a string

loz
0
drakkarnoirAuthor Commented:
Index is a string? Hehe I just meant is it possible for me to do:

$fieldname = "$_POST[formfieldname]";

$query = "INSERT INTO TABLE (field) VALUES ($fieldname)";

?
0
drakkarnoirAuthor Commented:
And finally, how will my copy function change?

Current I have:

copy("filename1","filename1");

Corresponding to filename1 in the file input from the previous form. I tried changing it to:

copy("$_FILES[filename1]","$_FILES[filename1]");

But it just kept giving me Array[a] ok as a result.
0
lozlozCommented:
oh yeh, but you should have:

$fieldname = $_POST["formfieldname"];

loz
0
lozlozCommented:
well $_FILES["filename1"] will hold an array of the information about the file

tmp_name is the temporary name of it, name is the actual name, type is the mime type, size is its size in bytes, error is the assocatied error code

so these are accessed through $_FILES["filename1"]["tmp_name"] etc.

so you probably want something like:

copy($_FILES["filename1"]["tmp_name"],"../images/" . $_FILES["filename1"]["name"]);

you'll probably want to change the directory information for the 2nd half of the function

loz
0
drakkarnoirAuthor Commented:
Why did I not have to do tmp_name before with register_globals on?
0
lozlozCommented:
copy("filename1","filename1");

if that code's correct then you're simply copying the file called filename1 over itself?

loz
0
drakkarnoirAuthor Commented:
Nope, I'm getting the filename1 from the upload form, and then putting it in the hosting directory as the filename1
0
drakkarnoirAuthor Commented:
Also, I had this before:

$img2_name = str_replace(" ","",$img2_name);
                  $img2_name = str_replace("'","",$img2_name);
                  $img2_name = str_replace("(","",$img2_name);
                  $img2_name = str_replace(")","",$img2_name);
                  $img2_name = str_replace("\\","",$img2_name);

That was done basically to elimate nasty characters in the filename before uploading...

How would this change? Can I define the $_FILES[img2][name] array element?
0
lozlozCommented:
just add a line before as follows:

$img2_name = $_FILES["img2"]["name"];

and if you were getting filename1 from an upload form then that code must have been different, maybe you forgot the $ because those are just 2 strings in the copy function

loz
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
drakkarnoirAuthor Commented:
Thanks so much for explaining, I was worried because I had read on the PHP.net site that it was insecure and that's why they made it default OFF.

Rock on.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
PHP

From novice to tech pro — start learning today.