News:

The "Support Requests" forum is now viewable by guests.

Main Menu

Turn Off Registered Globals???

Started by sixthcrusifix, December 11, 2005, 11:17:15 AM

Previous topic - Next topic

sixthcrusifix

I know you're supposed to turn of registerd globals and use $_GET[blahblah] , but is there anything else that happens when I use registerd globals?

Can I still use $PHP_SELF if I turn off registered globals? I've had them on forever and I was gonna turn them off but I just wanted to know how much editing Ide have to do to all my pages.

if I turn off Registered Globals will this work? :



<?php
$BADuser 
$_GET[baduser];
if(isset(
$BADuser)){
echo(
"
<script type='text/javascript'>
if(confirm(\"Are you SURE you want to delete user Data for 
$BADuser?\")){}
else{window.location.href='http://crystalchasm.net/MAIN/ADMIN/ACP_usercontrol.php/';} 
</script>
"
);
echo(
"YOU KILLED $BADuser! -They have been deleted");
}
else{echo(
"Hey howd you get here!?");}


?>



assuming the form that links to it has an input field named "baduser".

ALSO: About the above code, it works . . . . . it does just what it should do . . . . BUT I GET AN ERROR!?

Notice: Use of undefined constant baduser - assumed 'baduser' in /fpgs/fpgshttpd/sixthcrusifix/MAIN/ADMIN/ACP_usercontrol2.php on line 2



Here's the form that goes to it:



<link rel="stylesheet" type="text/css" href="http://crystalchasm.net/default.css" >
<table bordercolor='009800' bgcolor='000000' align='center' >
<tr><td>


<table bordercolor='98ff98'> <tr><td>
<span class='ltgreen'>
Bob </span></td><td>
<a href='/MAIN/ADMIN/ACP_usercontrol2.php?baduser=bob'>Delete User</a>
</td></tr><tr><td>
<span class='ltgreen'> Sally </span></td><td>
<a href='/MAIN/ADMIN/ACP_usercontrol2.php?baduser=sally'>Delete User</a>

</td></tr><tr><td>
<span class='ltgreen'> Jessy </span></td><td>
<a href='/MAIN/ADMIN/ACP_usercontrol2.php?baduser=Jessy'>Delete User</a>
</td></tr><tr><td>
<span class='ltgreen'> Raphielle </span> </td><td>
<a href='/MAIN/ADMIN/ACP_usercontrol2.php?baduser=Raphielle'>Delete User</a>
</span>
</td></tr>

</table>

</tr></td>
</table>

Visite me website at http://www.sixthcrusifix.com

webzone (archived)

QuoteCan I still use $PHP_SELF if I turn off registered globals?

You would use $_SERVER['PHP_SELF'] instead.

Quote$BADuser = $_GET[baduser];

Remember that $_GET is an array, so you should use quotes between the brackets.

This would work : $BADuser = $_GET['baduser'];

If you want to access the baduser variable regardless of the way it was transmitted (either using GET or POST), you could use the $_REQUEST array instead.

sixthcrusifix

Quote from: webzone on December 11, 2005, 04:49:54 PM
QuoteCan I still use $PHP_SELF if I turn off registered globals?

You would use $_SERVER['PHP_SELF'] instead.

Quote$BADuser = $_GET[baduser];

Remember that $_GET is an array, so you should use quotes between the brackets.

This would work : $BADuser = $_GET['baduser'];

If you want to access the baduser variable regardless of the way it was transmitted (either using GET or POST), you could use the $_REQUEST array instead.

oh yes I found it out. Thanks.

Th eonly problem is that if I turn off registerd globals I don't just have to change my PHP_SELF things . .. I thave to change all the other variables that my forms send.... so I'm screwed.

I've started using GET and SERVER now, and I've replaces all $PHP_SELF with $_SERVER['PHP_SELF'], but I'll have to work on all the other ones little by little as I find time. I used teh search function in dreamweaver to see how many <input> tags I had in my whole site . .. . there were 1334!

Visite me website at http://www.sixthcrusifix.com

webzone (archived)

Be careful : If you have a form on you site with "method=post", the data provided will be in the $_POST array and not in $_GET. As I said above, you may prefer to use $_REQUEST, as it contains everything in _GET and in _POST.

sixthcrusifix

Quote from: webzone on December 11, 2005, 06:19:07 PM
Be careful : If you have a form on you site with "method=post", the data provided will be in the $_POST array and not in $_GET. As I said above, you may prefer to use $_REQUEST, as it contains everything in _GET and in _POST.

yeah a guy at SSD said I use GET for a value in a URL (blah.php?var=poop) and POST for forms with POST, but he said that using REQUEST is just as bad as having register globals on and not to do it.
Visite me website at http://www.sixthcrusifix.com

webzone (archived)

Quotehe said that using REQUEST is just as bad as having register globals on and not to do it.

register_globals is bad because it allows your visitors to set the values of variables in your script without your permission. If that setting is on and you forget to make sure that a variable is clean before using it, it can become a mess pretty easily. For instance, if you have a variable named "logged_in" that is set to 1 is the user is logged in, but you forget to set it to 0 when the visitor is a guest, it would be easy to make your script believe that the guest is logged in (which is false).

_REQUEST doesn't have this security issue. It is only a combination of the _GET, _POST and _COOKIE arrays. You can use it when you don't know whether some info will be passed using the query string or if it will be submitted using a form (a search script is a great example).

Of course, it is better to use the individual arrays if you know that the info can only be provided using one way.