On Monday 22 April 2002 05:34 pm, you wrote:
> On Monday, April 22, 2002, at 03:47 PM, Andre Dubuc wrote:
> > I tried what you suggested, and indeed globals are off. Perhaps my
> > problem
> > stems from my use of the $_GET[] with $vars. I guess I don't really
> > understand what I'm doing. If you would take a peek at this code [I
> > think
> > I've introduced a security hole, and I'm mixing up things]:
>
> I think the problem you're having is basically understanding what
> register_globals does, and why some people might want to turn it off.
>
> register_globals takes a variable (doesn't matter if it's a server
> variable, a cookie variable, a post variable, or a get variable) and
> registers it as global throughout the script. This means that if
> someone types
>
> http://www.domain.com/index.php?firstname=andre&lastname=dubuc
>
> into the "Address" bar of her browser, she has just requested the
> "index.php" resource from the server at "www.domain.com" using the HTTP
> protocol and sent two variables to the server using the GET method:
>
> $firstname = 'andre'
> $lastname = 'dubuc'
>
> If you have register_globals turned on, then your script can look like
> this:
>
> if ($firstname == 'andre' && $lastname == 'dubuc') {
> // do something
> }
>
> and it still works. However, if you have register_globals turned off,
> then the above 'if test' won't work. This is because these variables
> are not $firstname and $lastname, they are $_GET['firstname'] and
> $_GET['lastname']. To do an 'if test' with register_globals off, you
> should do:
>
> if ($_GET['firstname'] == 'andre' && $_GET['lastname'] == 'dubuc') {
> // do something
> }
>
> There's really not much of a difference. The thing is that instead of
> being a global variable, the data that you passed is now an element of
> the $_GET array. So you use the standard element notation, using the
> associative index of the variable name.
>
> If you do this:
>
> $firstname = $_GET['firstname'];
> $lastname = $_GET['lastname'];
>
> ...you make your code simpler to understand, but be careful that you
> don't do something in the same script like
>
> $lastname = $row['last_name'];
>
> (which could happen if you were trying to simplify your MySQL result
> data.)
>
> I'll take a look at what you've got....
>
> > On page 1:
> >
> > <?php session_start(); ob_start(); ?>
> > // ob_start(); so I can have html headers on this page & redirect later
> > // some other code
> > <form action="page2.php" method="get">
> > <?php
> > // The following line is where I think I've caused myself grief.
> >
> > <input type=text size=20 name=bozo>
> >
> > <input type=submit name=submit value="Agree">
> > ?>
>
> Yeah, I'd say you've caused yourself some grief. This isn't even
> related to register_globals -- you've got two HTML input tags in the
> middle of your PHP block. You need to print() or echo these, not just
> type them in directly.
>
> print("<input type='text' size='20' name='bozo' />");
> print("<input type='submit' name='submit' value='Agree'>");
>
> > $bozo = $_GET['bozo'];
> >
> > /* Now is this correct? Am I exposing 'bozo' to a security hole? For
> > the
> > rest of the script, with each $_GET['var'] from the previous page I do
> > the
> > same. Somehow, I don't think I've grasped what to do with $vars. From my
> > reading elsewhere, should I, for example, in page 1 use something like
> >
> > <input type=text size=20 name="<?php echo
> > $_SESSION['bozo'] ?>">
>
> I prefer to do it the way that you have read elsewhere, but it really
> doesn't matter. Either way, you have a variable in your script that
> points to some user-specified data. What you've done is simplified the
> results, similar to what some people do when they pull data out of a
> result set with mysql_fetch_array(). The only security hole is if you
> have written your script to do something unsafe with the $bozo variable.
>
> HOWEVER... bear in mind that now that you are referring to this variable
> in this fashion, you could end up inadvertently overwriting this
> variable with a new variable, by doing something like
>
> $bozo = $row['bozo'];
>
> -- something that is far less likely to occur when referring to it as
> $_GET['bozo'].
>
> It really depends on how organized your code is. If I were you, I would
> probably get into the habit of calling it $_GET['bozo'], since that just
> saves you time and stress in the long run. The only security hole would
> be this:
>
> $_SESSION['admin'] = 'yes'; // indicates that user is an administrator
> $admin = $_SESSION['admin']; // simplify our variable name
>
> if ($admin == 'yes') { // if user is an administrator
> // display some sensitive data
> }
>
> // for some stupid reason we do this
> $admin = $_GET['admin']; // obviously you wouldn't do something like this
>
> if ($admin == 'yes') {
> // display some sensitive data
> }
>
> Essentially, in the above code, you've given the value of a GET variable
> called "admin" the same power as a session variable called "admin".
> This is bad practice in general, and I'm sure you wouldn't make this
> mistake.
>
> Simply making $admin = $_SESSION['admin'] does NOT mean that someone can
> type "admin=yes" into the querystring and automatically become the
> admin, because register_globals is OFF -- this means that
>
> $admin != $_GET['admin']
>
> unless you set it so.
>
> > Once I figure out how I'm supposed to write the variables in the
> > scripts,
> > I'll be OK. But I'm so CONFUSED! */
> >
> > if ($bozo == "") die ("Please enter your 'First Name'. <br><br> Click
> > 'Back" in your browser to enter this information.");
>
> This is fine.
>
> > /* This page is actually a confirmation page, I've tried to collect the
> > info
> > from page 1 ($bozo) and page 2 ($dodo) and print them to screen as in */
> >
> > $bozo = $_GET['bozo'];
> > $dodo = $_GET['dodo'];
> >
> > print $bozo $dodo;
> >
> > /* I've also tried $_SESSION['bozo'], $_GET['bozo'], left out the
> > '$bozo = $_GET['bozo']' etc, etc, etc. -- I don't know what I'm doing
> > here!! Help! ! */
> > ?>
>
> What seems to be the problem here?
>
>
>
> Erik
>
>
> ----
>
> Erik Price
> Web Developer Temp
> Media Lab, H.H. Brown
> [EMAIL PROTECTED]
Thanks Eric,
That clears up a lot. I sort of thought doing:
$bozo = $_GET['bozo'];
would be OK. It seems it's the ONLY way my script will allow the array to be
put into the database (PostgreSQL). If I type into the INSERT command
.... $bozo, $next_var, $next_next_var // it works
.... $_GET['bozo'], $_GET['next_var'], etc // I get T_Variable undefined
**********************************************************
> > /* This page is actually a confirmation page, I've tried to collect the
> > info
> > from page 1 ($bozo) and page 2 ($dodo) and print them to screen as in */
> >
> > $bozo = $_GET['bozo'];
> > $dodo = $_GET['dodo'];
> >
> > print $bozo $dodo;
> >
> > /* I've also tried $_SESSION['bozo'], $_GET['bozo'], left out the
> > '$bozo = $_GET['bozo']' etc, etc, etc. -- I don't know what I'm doing
> > here!! Help! ! */
> > ?>
>
> What seems to be the problem here?
************************************************************
The problem here is that $_SESSION['anything'] or $_GET['anything'] doesn't
work. It refuses to print or pass anything. Why? I can't figure that out?
I've tried a simple test, and yes the globals are off. But using the
$bozo = $_GET['bozo']; approach, at least it writes to the database, but I
cannot access the arrays at all??? And, I HAVE to write these for ALL the
variables, else it doesn't get passed to the db.
Sigh. So where am I messing up?
Your help is great, btw. Thanks,
Andre
--
Please pray the Holy Rosary to end the holocaust of abortion.
Remember in your prayers the Holy Souls in Purgatory.
May God bless you abundantly in His love!
For a free Cenacle Scriptural Rosary Booklet: http://www.webhart.net/csrb/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
