RE: Re: [PHP-DB] Re: sessions
> -Original Message- > From: John Holmes [mailto:[EMAIL PROTECTED] > You are wrong. :) > > Having register_globals OFF helps to prevent poorly written programs from being vulnerable to > users setting variables in the URL/header/cookie data. You can still write horribly insecure > programs with register_globals OFF. You can easily write very secure programs that function > with register_globals ON or OFF, too. http://us2.php.net/manual/en/security.globals.php Exactly. It's merely there so that beginning developers don't blindly stumble forward making bad decisions - give them a sense that there's this thing called input checking and initialization. That said, it's a shame that there are still commercial programs that rely on it - solely because it defaults to off since 4.2 and many people may not have the access to change it*. One would want to avoid as much technical support as necessary, in such instances :) Personally I prefer explicitly pulling data into my scripts, so I like it being OFF regardless of defaults, but others may have other opinions. * I know it can be changed in .htaccess, I just don't know what options the server needs to be running under for this - AllowOverride ALL certainly - but I would hope something more lax would allow it. Still, it seems being able to change that would give the user the ability to change the max_memory/max_execution_time of php scripts - which I can't imagine any reselling host wanting a shell/etc. account doing. Cheers, - Martin Norland, Database / Web Developer, International Outreach x3257 The opinion(s) contained within this email do not necessarily represent those of St. Jude Children's Research Hospital. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: Re: [PHP-DB] Re: sessions
> From: Joseph Crawford <[EMAIL PROTECTED]> > > correct me if i am wrong but i have been told it is bad and insecure > to use register_global=on You are wrong. :) Having register_globals OFF helps to prevent poorly written programs from being vulnerable to users setting variables in the URL/header/cookie data. You can still write horribly insecure programs with register_globals OFF. You can easily write very secure programs that function with register_globals ON or OFF, too. ---John Holmes... UCCASS - PHP Survey System http://www.bigredspark.com/survey.html -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Re: sessions
correct me if i am wrong but i have been told it is bad and insecure to use register_global=on i have seen many comercial scripts that rely on this and it just makes me laugh On Sat, 11 Dec 2004 16:48:05 +0800, Shen Kong <[EMAIL PROTECTED]> wrote: > Hi, if your register_global = on you can do it like you do, if > register_global = off, use it like this: > > session_start(); > session_register("session_username"); //or $_SESSION["session_username"] > = null; > session_register("session_level"); // or $_SESSION["session_level"] = null; > > $_SESSION['session_username'] = "$username"; > $_SESSION['session_level'] = "$account_level"; > > echo $_SESSION['session_username']; > > Warren Mason åé: > > > > I am attempting to get information from a mysql database and then use > > this in a session. Is there a trick to using sessions? For example, can > > something like below be placed anywhere in a script? (I have the > > session_start(); at the very top of my page.) > > > > > > > > session_register( "session_username" ); > > session_register( "session_level" ); > > > > $session_username = "$username"; > > $session_level = "$account_level"; > > > > > > The resulting session is > > > > session_username|N;session_level|i:0; > > > > $username is set to warren and $account_level is set to 255. > > > > Any help would be greatly appreciated as I have gone through about 5 > > books and searched the net and can't find an answer as to why this isn't > > working. > > > > > > - > > This message is intended for the addressee named and may contain > > confidential information. If you are not the intended recipient, please > > delete it and notify the sender. Views expressed in this message are > > those of the individual sender and are not necessarily the views of the > > Mid Western Area Health Service. > > - > > <<<>>> > > -- > -- ShenKong (shenkong(at)php.net) > -- http://www.openphp.cn > > > > -- > PHP Database Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- Joseph Crawford Jr. Codebowl Solutions [EMAIL PROTECTED] For a GMail account contact me OFF-LIST -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Re: Sessions and MySQL?
I'm not sure that this code will work. Try to use $_SESSION['..'] and (..). [Don't use the {, } for this purposes. vio- - Original Message - From: "pete M" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, October 16, 2003 4:02 PM Subject: [PHP-DB] Re: Sessions and MySQL? > might seem a bit long winded but this is how I would code it > > $sql = "INSERT INTO $table ( salutation, name, city} VALUES {" > $sql .= "'".$_SESSION{'salutation']."', " > $sql .= "'".$_SESSION{'name']."', " > $sql .= "'".$_SESSION{'city']."' ) " > > mysql_query($sql); > > regards > pete > >mysql_query("INSERT INTO $table ( > > salutation, > > name, > > city > > } VALUES { > > \"$_SESSION['salutation'];\", > > \"$_SESSION['name'];\", > > \"$_SESSION['city'];\" > > } > > > > > Tristan Pretty wrote: > > > Not sure if this is a MySQL Q. or a PHP one, but here goes... > > > > I'm just learning sessions... > > And I'm trying to add a session variable to a MySQL database. > > I've done this page that takes the results from a previous form... > > But I get this error: > > Parse error: parse error, expecting `T_STRING' or `T_VARIABLE' or > > `T_NUM_STRING' > > On line 83 > > Which is the line that relates to the line: > > \"$_SESSION['salutation'];\", > > > > I've tried removing the ';' but it change nothing...? > > Can anyone see my error? > > > > = > > > session_start(); > > header("Cache-control: private"); > > > >$_SESSION['salutation'] = $_POST['salutation']; > > > > //MySQL connection stuff > > mysql_query("INSERT INTO $table ( > > salutation, > > name, > > city > > } VALUES { > > \"$_SESSION['salutation'];\", > > \"$_SESSION['name'];\", > > \"$_SESSION['city'];\" > > } > > > > ?> > > //Rest of page... thanks etc... > > = > > > > * > > The information contained in this e-mail message is intended only for > > the personal and confidential use of the recipient(s) named above. > > If the reader of this message is not the intended recipient or an agent > > responsible for delivering it to the intended recipient, you are hereby > > notified that you have received this document in error and that any > > review, dissemination, distribution, or copying of this message is > > strictly prohibited. If you have received this communication in error, > > please notify us immediately by e-mail, and delete the original message. > > *** > > > > > > -- > PHP Database Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] Re: sessions
Configure PHP with this line included --enable-trans-sid This will automatically put the session ID after every URL if the user does not have cookies enabled. Josh Hoover KnowledgeStorm, Inc. Searching for a new IT solution for your company? Need to improve your product marketing? Visit KnowledgeStorm at www.knowledgestorm.com to learn how we can simplify the process for you. KnowledgeStorm - Your IT Search Starts Here > This could be because cookies have been disabled. Can I > find a way such > that my code works even if cookies have been disabled ??