[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 282
  • Last Modified:

Changing to register_globals OFF

Right now my register_globals are ON, I heard this was a security risk because people could make fake passing vars in the URL and have the script think they auth'ed or something like that.


If I were to turn OFF register_globals, in my mysql_query() statements, where I use the forms names such as

INSERT INTO table (field) VALUES ($formfieldname)

would have to be

INSET INTO table (field) VALUES ($_POST[formfieldname])

?

And also,

$filetype = $_POST['filetype'];
     $_SESSION['search_filetype'] = $filetype;
     $filetype = $_SESSION['search_filetype'];

Like there, I'm trying to set the $filetype variable they want to search for as a session variable so they can go back and forth between the forms (like back and next buttons).

I'd like to know the most efficient ways of doing this, I'm fimilar with PHP now, just not with coding standards.
0
drakkarnoir
Asked:
drakkarnoir
  • 7
  • 6
1 Solution
 
lozlozCommented:
correct about the query and security risk except you need some concatenation:

$query = "INSERT INTO table (field) VALUES ('" . $_POST["formfieldname"] . "')";

to set the session variables all you need is $_SESSION["search_filetype"] = $filetype;

are you wondering if a session is the best way to do this or just how to set a session variable?

loz
0
 
rstorey2079Commented:
Just as an addition to lozloz's comment -- when you go from register globals on to off, it affects variables used in the $_GET scope as well (if you have any of those).

0
 
drakkarnoirAuthor Commented:
Well I didn't use any GET methods at all, all POST's if any...

For loz, you said that I would have to do

$query = "INSERT INTO table (field) VALUES ('" . $_POST["formfieldname"] . "')";

That value string is really ugly, is there a way around this? Or do I have to do it like this with the concatnating and all...
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
lozlozCommented:
why does your code need to look beautiful? :p you could try

$query = "INSERT INTO table (field) VALUES ('$_POST[formfieldname]')";

if you want but i'm not sure if it'll work seeing as the index is a string

loz
0
 
drakkarnoirAuthor Commented:
Index is a string? Hehe I just meant is it possible for me to do:

$fieldname = "$_POST[formfieldname]";

$query = "INSERT INTO TABLE (field) VALUES ($fieldname)";

?
0
 
drakkarnoirAuthor Commented:
And finally, how will my copy function change?

Current I have:

copy("filename1","filename1");

Corresponding to filename1 in the file input from the previous form. I tried changing it to:

copy("$_FILES[filename1]","$_FILES[filename1]");

But it just kept giving me Array[a] ok as a result.
0
 
lozlozCommented:
oh yeh, but you should have:

$fieldname = $_POST["formfieldname"];

loz
0
 
lozlozCommented:
well $_FILES["filename1"] will hold an array of the information about the file

tmp_name is the temporary name of it, name is the actual name, type is the mime type, size is its size in bytes, error is the assocatied error code

so these are accessed through $_FILES["filename1"]["tmp_name"] etc.

so you probably want something like:

copy($_FILES["filename1"]["tmp_name"],"../images/" . $_FILES["filename1"]["name"]);

you'll probably want to change the directory information for the 2nd half of the function

loz
0
 
drakkarnoirAuthor Commented:
Why did I not have to do tmp_name before with register_globals on?
0
 
lozlozCommented:
copy("filename1","filename1");

if that code's correct then you're simply copying the file called filename1 over itself?

loz
0
 
drakkarnoirAuthor Commented:
Nope, I'm getting the filename1 from the upload form, and then putting it in the hosting directory as the filename1
0
 
drakkarnoirAuthor Commented:
Also, I had this before:

$img2_name = str_replace(" ","",$img2_name);
                  $img2_name = str_replace("'","",$img2_name);
                  $img2_name = str_replace("(","",$img2_name);
                  $img2_name = str_replace(")","",$img2_name);
                  $img2_name = str_replace("\\","",$img2_name);

That was done basically to elimate nasty characters in the filename before uploading...

How would this change? Can I define the $_FILES[img2][name] array element?
0
 
lozlozCommented:
just add a line before as follows:

$img2_name = $_FILES["img2"]["name"];

and if you were getting filename1 from an upload form then that code must have been different, maybe you forgot the $ because those are just 2 strings in the copy function

loz
0
 
drakkarnoirAuthor Commented:
Thanks so much for explaining, I was worried because I had read on the PHP.net site that it was insecure and that's why they made it default OFF.

Rock on.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 7
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now