RE: Re: [PHP-DB] Re: sessions
> -Original Message- > From: John Holmes [mailto:[EMAIL PROTECTED] > You are wrong. :) > > Having register_globals OFF helps to prevent poorly written programs from being vulnerable to > users setting variables in the URL/header/cookie data. You can still write horribly insecure > programs with register_globals OFF. You can easily write very secure programs that function > with register_globals ON or OFF, too. http://us2.php.net/manual/en/security.globals.php Exactly. It's merely there so that beginning developers don't blindly stumble forward making bad decisions - give them a sense that there's this thing called input checking and initialization. That said, it's a shame that there are still commercial programs that rely on it - solely because it defaults to off since 4.2 and many people may not have the access to change it*. One would want to avoid as much technical support as necessary, in such instances :) Personally I prefer explicitly pulling data into my scripts, so I like it being OFF regardless of defaults, but others may have other opinions. * I know it can be changed in .htaccess, I just don't know what options the server needs to be running under for this - AllowOverride ALL certainly - but I would hope something more lax would allow it. Still, it seems being able to change that would give the user the ability to change the max_memory/max_execution_time of php scripts - which I can't imagine any reselling host wanting a shell/etc. account doing. Cheers, - Martin Norland, Database / Web Developer, International Outreach x3257 The opinion(s) contained within this email do not necessarily represent those of St. Jude Children's Research Hospital. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: Re: [PHP-DB] Re: sessions
> From: Joseph Crawford <[EMAIL PROTECTED]> > > correct me if i am wrong but i have been told it is bad and insecure > to use register_global=on You are wrong. :) Having register_globals OFF helps to prevent poorly written programs from being vulnerable to users setting variables in the URL/header/cookie data. You can still write horribly insecure programs with register_globals OFF. You can easily write very secure programs that function with register_globals ON or OFF, too. ---John Holmes... UCCASS - PHP Survey System http://www.bigredspark.com/survey.html -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Re: sessions
correct me if i am wrong but i have been told it is bad and insecure
to use register_global=on
i have seen many comercial scripts that rely on this and it just makes me laugh
On Sat, 11 Dec 2004 16:48:05 +0800, Shen Kong <[EMAIL PROTECTED]> wrote:
> Hi, if your register_global = on you can do it like you do, if
> register_global = off, use it like this:
>
> session_start();
> session_register("session_username"); //or $_SESSION["session_username"]
> = null;
> session_register("session_level"); // or $_SESSION["session_level"] = null;
>
> $_SESSION['session_username'] = "$username";
> $_SESSION['session_level'] = "$account_level";
>
> echo $_SESSION['session_username'];
>
> Warren Mason åé:
>
>
> > I am attempting to get information from a mysql database and then use
> > this in a session. Is there a trick to using sessions? For example, can
> > something like below be placed anywhere in a script? (I have the
> > session_start(); at the very top of my page.)
> >
> >
> >
> > session_register( "session_username" );
> > session_register( "session_level" );
> >
> > $session_username = "$username";
> > $session_level = "$account_level";
> >
> >
> > The resulting session is
> >
> > session_username|N;session_level|i:0;
> >
> > $username is set to warren and $account_level is set to 255.
> >
> > Any help would be greatly appreciated as I have gone through about 5
> > books and searched the net and can't find an answer as to why this isn't
> > working.
> >
> >
> > -
> > This message is intended for the addressee named and may contain
> > confidential information. If you are not the intended recipient, please
> > delete it and notify the sender. Views expressed in this message are
> > those of the individual sender and are not necessarily the views of the
> > Mid Western Area Health Service.
> > -
> > <<<>>>
>
> --
> -- ShenKong (shenkong(at)php.net)
> -- http://www.openphp.cn
>
>
>
> --
> PHP Database Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
--
Joseph Crawford Jr.
Codebowl Solutions
[EMAIL PROTECTED]
For a GMail account
contact me OFF-LIST
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Re: Sessions and MySQL?
I'm not sure that this code will work.
Try to use $_SESSION['..'] and (..). [Don't use the {, } for this purposes.
vio-
- Original Message -
From: "pete M" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, October 16, 2003 4:02 PM
Subject: [PHP-DB] Re: Sessions and MySQL?
> might seem a bit long winded but this is how I would code it
>
> $sql = "INSERT INTO $table ( salutation, name, city} VALUES {"
> $sql .= "'".$_SESSION{'salutation']."', "
> $sql .= "'".$_SESSION{'name']."', "
> $sql .= "'".$_SESSION{'city']."' ) "
>
> mysql_query($sql);
>
> regards
> pete
>
>mysql_query("INSERT INTO $table (
> > salutation,
> > name,
> > city
> > } VALUES {
> > \"$_SESSION['salutation'];\",
> > \"$_SESSION['name'];\",
> > \"$_SESSION['city'];\"
> > }
> >
>
>
> Tristan Pretty wrote:
>
> > Not sure if this is a MySQL Q. or a PHP one, but here goes...
> >
> > I'm just learning sessions...
> > And I'm trying to add a session variable to a MySQL database.
> > I've done this page that takes the results from a previous form...
> > But I get this error:
> > Parse error: parse error, expecting `T_STRING' or `T_VARIABLE' or
> > `T_NUM_STRING'
> > On line 83
> > Which is the line that relates to the line:
> > \"$_SESSION['salutation'];\",
> >
> > I've tried removing the ';' but it change nothing...?
> > Can anyone see my error?
> >
> > =
> > > session_start();
> > header("Cache-control: private");
> >
> >$_SESSION['salutation'] = $_POST['salutation'];
> >
> > //MySQL connection stuff
> > mysql_query("INSERT INTO $table (
> > salutation,
> > name,
> > city
> > } VALUES {
> > \"$_SESSION['salutation'];\",
> > \"$_SESSION['name'];\",
> > \"$_SESSION['city'];\"
> > }
> >
> > ?>
> > //Rest of page... thanks etc...
> > =
> >
> > *
> > The information contained in this e-mail message is intended only for
> > the personal and confidential use of the recipient(s) named above.
> > If the reader of this message is not the intended recipient or an agent
> > responsible for delivering it to the intended recipient, you are hereby
> > notified that you have received this document in error and that any
> > review, dissemination, distribution, or copying of this message is
> > strictly prohibited. If you have received this communication in error,
> > please notify us immediately by e-mail, and delete the original message.
> > ***
> >
> >
>
> --
> PHP Database Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] Re: sessions
Configure PHP with this line included --enable-trans-sid This will automatically put the session ID after every URL if the user does not have cookies enabled. Josh Hoover KnowledgeStorm, Inc. Searching for a new IT solution for your company? Need to improve your product marketing? Visit KnowledgeStorm at www.knowledgestorm.com to learn how we can simplify the process for you. KnowledgeStorm - Your IT Search Starts Here > This could be because cookies have been disabled. Can I > find a way such > that my code works even if cookies have been disabled ??
