On Monday, April 22, 2002, at 03:47 PM, Andre Dubuc wrote:
> I tried what you suggested, and indeed globals are off. Perhaps my > problem > stems from my use of the $_GET[] with $vars. I guess I don't really > understand what I'm doing. If you would take a peek at this code [I > think > I've introduced a security hole, and I'm mixing up things]: I think the problem you're having is basically understanding what register_globals does, and why some people might want to turn it off. register_globals takes a variable (doesn't matter if it's a server variable, a cookie variable, a post variable, or a get variable) and registers it as global throughout the script. This means that if someone types http://www.domain.com/index.php?firstname=andre&lastname=dubuc into the "Address" bar of her browser, she has just requested the "index.php" resource from the server at "www.domain.com" using the HTTP protocol and sent two variables to the server using the GET method: $firstname = 'andre' $lastname = 'dubuc' If you have register_globals turned on, then your script can look like this: if ($firstname == 'andre' && $lastname == 'dubuc') { // do something } and it still works. However, if you have register_globals turned off, then the above 'if test' won't work. This is because these variables are not $firstname and $lastname, they are $_GET['firstname'] and $_GET['lastname']. To do an 'if test' with register_globals off, you should do: if ($_GET['firstname'] == 'andre' && $_GET['lastname'] == 'dubuc') { // do something } There's really not much of a difference. The thing is that instead of being a global variable, the data that you passed is now an element of the $_GET array. So you use the standard element notation, using the associative index of the variable name. If you do this: $firstname = $_GET['firstname']; $lastname = $_GET['lastname']; ...you make your code simpler to understand, but be careful that you don't do something in the same script like $lastname = $row['last_name']; (which could happen if you were trying to simplify your MySQL result data.) I'll take a look at what you've got.... > On page 1: > > <?php session_start(); ob_start(); ?> > // ob_start(); so I can have html headers on this page & redirect later > // some other code > <form action="page2.php" method="get"> > <?php > // The following line is where I think I've caused myself grief. > > <input type=text size=20 name=bozo> > > <input type=submit name=submit value="Agree"> > ?> Yeah, I'd say you've caused yourself some grief. This isn't even related to register_globals -- you've got two HTML input tags in the middle of your PHP block. You need to print() or echo these, not just type them in directly. print("<input type='text' size='20' name='bozo' />"); print("<input type='submit' name='submit' value='Agree'>"); > $bozo = $_GET['bozo']; > > /* Now is this correct? Am I exposing 'bozo' to a security hole? For > the > rest of the script, with each $_GET['var'] from the previous page I do > the > same. Somehow, I don't think I've grasped what to do with $vars. From my > reading elsewhere, should I, for example, in page 1 use something like > : > <input type=text size=20 name="<?php echo > $_SESSION['bozo'] ?>"> I prefer to do it the way that you have read elsewhere, but it really doesn't matter. Either way, you have a variable in your script that points to some user-specified data. What you've done is simplified the results, similar to what some people do when they pull data out of a result set with mysql_fetch_array(). The only security hole is if you have written your script to do something unsafe with the $bozo variable. HOWEVER... bear in mind that now that you are referring to this variable in this fashion, you could end up inadvertently overwriting this variable with a new variable, by doing something like $bozo = $row['bozo']; -- something that is far less likely to occur when referring to it as $_GET['bozo']. It really depends on how organized your code is. If I were you, I would probably get into the habit of calling it $_GET['bozo'], since that just saves you time and stress in the long run. The only security hole would be this: $_SESSION['admin'] = 'yes'; // indicates that user is an administrator $admin = $_SESSION['admin']; // simplify our variable name if ($admin == 'yes') { // if user is an administrator // display some sensitive data } // for some stupid reason we do this $admin = $_GET['admin']; // obviously you wouldn't do something like this if ($admin == 'yes') { // display some sensitive data } Essentially, in the above code, you've given the value of a GET variable called "admin" the same power as a session variable called "admin". This is bad practice in general, and I'm sure you wouldn't make this mistake. Simply making $admin = $_SESSION['admin'] does NOT mean that someone can type "admin=yes" into the querystring and automatically become the admin, because register_globals is OFF -- this means that $admin != $_GET['admin'] unless you set it so. > Once I figure out how I'm supposed to write the variables in the > scripts, > I'll be OK. But I'm so CONFUSED! */ > > if ($bozo == "") die ("Please enter your 'First Name'. <br><br> Click > 'Back" in your browser to enter this information."); This is fine. > /* This page is actually a confirmation page, I've tried to collect the > info > from page 1 ($bozo) and page 2 ($dodo) and print them to screen as in */ > > $bozo = $_GET['bozo']; > $dodo = $_GET['dodo']; > > print $bozo $dodo; > > /* I've also tried $_SESSION['bozo'], $_GET['bozo'], left out the > '$bozo = $_GET['bozo']' etc, etc, etc. -- I don't know what I'm doing > here!! Help! ! */ > ?> What seems to be the problem here? Erik ---- Erik Price Web Developer Temp Media Lab, H.H. Brown [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
