Solved

Changing to register_globals OFF

Posted on 2003-11-05
14
263 Views
Last Modified: 2007-12-19
Right now my register_globals are ON, I heard this was a security risk because people could make fake passing vars in the URL and have the script think they auth'ed or something like that.


If I were to turn OFF register_globals, in my mysql_query() statements, where I use the forms names such as

INSERT INTO table (field) VALUES ($formfieldname)

would have to be

INSET INTO table (field) VALUES ($_POST[formfieldname])

?

And also,

$filetype = $_POST['filetype'];
     $_SESSION['search_filetype'] = $filetype;
     $filetype = $_SESSION['search_filetype'];

Like there, I'm trying to set the $filetype variable they want to search for as a session variable so they can go back and forth between the forms (like back and next buttons).

I'd like to know the most efficient ways of doing this, I'm fimilar with PHP now, just not with coding standards.
0
Comment
Question by:drakkarnoir
  • 7
  • 6
14 Comments
 
LVL 13

Expert Comment

by:lozloz
ID: 9689898
correct about the query and security risk except you need some concatenation:

$query = "INSERT INTO table (field) VALUES ('" . $_POST["formfieldname"] . "')";

to set the session variables all you need is $_SESSION["search_filetype"] = $filetype;

are you wondering if a session is the best way to do this or just how to set a session variable?

loz
0
 
LVL 1

Expert Comment

by:rstorey2079
ID: 9690320
Just as an addition to lozloz's comment -- when you go from register globals on to off, it affects variables used in the $_GET scope as well (if you have any of those).

0
 

Author Comment

by:drakkarnoir
ID: 9691057
Well I didn't use any GET methods at all, all POST's if any...

For loz, you said that I would have to do

$query = "INSERT INTO table (field) VALUES ('" . $_POST["formfieldname"] . "')";

That value string is really ugly, is there a way around this? Or do I have to do it like this with the concatnating and all...
0
 
LVL 13

Expert Comment

by:lozloz
ID: 9691085
why does your code need to look beautiful? :p you could try

$query = "INSERT INTO table (field) VALUES ('$_POST[formfieldname]')";

if you want but i'm not sure if it'll work seeing as the index is a string

loz
0
 

Author Comment

by:drakkarnoir
ID: 9691179
Index is a string? Hehe I just meant is it possible for me to do:

$fieldname = "$_POST[formfieldname]";

$query = "INSERT INTO TABLE (field) VALUES ($fieldname)";

?
0
 

Author Comment

by:drakkarnoir
ID: 9691264
And finally, how will my copy function change?

Current I have:

copy("filename1","filename1");

Corresponding to filename1 in the file input from the previous form. I tried changing it to:

copy("$_FILES[filename1]","$_FILES[filename1]");

But it just kept giving me Array[a] ok as a result.
0
 
LVL 13

Expert Comment

by:lozloz
ID: 9691273
oh yeh, but you should have:

$fieldname = $_POST["formfieldname"];

loz
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 13

Expert Comment

by:lozloz
ID: 9691297
well $_FILES["filename1"] will hold an array of the information about the file

tmp_name is the temporary name of it, name is the actual name, type is the mime type, size is its size in bytes, error is the assocatied error code

so these are accessed through $_FILES["filename1"]["tmp_name"] etc.

so you probably want something like:

copy($_FILES["filename1"]["tmp_name"],"../images/" . $_FILES["filename1"]["name"]);

you'll probably want to change the directory information for the 2nd half of the function

loz
0
 

Author Comment

by:drakkarnoir
ID: 9691310
Why did I not have to do tmp_name before with register_globals on?
0
 
LVL 13

Expert Comment

by:lozloz
ID: 9691324
copy("filename1","filename1");

if that code's correct then you're simply copying the file called filename1 over itself?

loz
0
 

Author Comment

by:drakkarnoir
ID: 9691382
Nope, I'm getting the filename1 from the upload form, and then putting it in the hosting directory as the filename1
0
 

Author Comment

by:drakkarnoir
ID: 9691393
Also, I had this before:

$img2_name = str_replace(" ","",$img2_name);
                  $img2_name = str_replace("'","",$img2_name);
                  $img2_name = str_replace("(","",$img2_name);
                  $img2_name = str_replace(")","",$img2_name);
                  $img2_name = str_replace("\\","",$img2_name);

That was done basically to elimate nasty characters in the filename before uploading...

How would this change? Can I define the $_FILES[img2][name] array element?
0
 
LVL 13

Accepted Solution

by:
lozloz earned 500 total points
ID: 9691440
just add a line before as follows:

$img2_name = $_FILES["img2"]["name"];

and if you were getting filename1 from an upload form then that code must have been different, maybe you forgot the $ because those are just 2 strings in the copy function

loz
0
 

Author Comment

by:drakkarnoir
ID: 9692349
Thanks so much for explaining, I was worried because I had read on the PHP.net site that it was insecure and that's why they made it default OFF.

Rock on.
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Developers of all skill levels should learn to use current best practices when developing websites. However many developers, new and old, fall into the trap of using deprecated features because this is what so many tutorials and books tell them to u…
These days socially coordinated efforts have turned into a critical requirement for enterprises.
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now