after moving to new server, variables in query string notinstantiated ?

smells like register_global s are off and yes they are.
add $username = $_GET['username'];

On Aug 5, 5:09*pm, The Hajj <hajji.hims...@ gmail.comwrote:

smells like register_global s are off and yes they are.

add $username = $_GET['username'];

forgot to add, if you're doing stuff like that filter input(good idear
to filter input anyways)

Bennett Haselton wrote:

I'm moving a bunch of PHP scripts from a server where they ran on
PHP4, to a new server with PHP5.

On the old server, variables in the query string would be
automatically instantiated in the code, so for example with this PHP
code:
<?php
print "Username: $username";
?>

accessing this URL would print the username "bennett":
http://69.20.9.236/php/test2.php?username=bennett

However, on the new server, it does not:
http://12.47.46.159/php/test2.php?username=bennett

Is this something that changed between PHP 4 and 5? I couldn't find
anything about this listed in the "What's new in PHP 5" at
http://devzone.zend.com/node/view/id/1714

The output of phpinfo() on the two servers is:
http://69.20.9.236/php/showall.php
http://12.47.46.159/php/showall.php

Is there some simple change that I can make, that will enable all of
the old PHP scripts to work on the new server? I'm really hoping the
latest version of PHP didn't force everyone to rewrite scripts that
used the old behavior.

-Bennett

Your PHP 4 operation was caused by register_global s being on in the
php.ini file. You can turn it on in PHP5 - but you need to start
converting your scripts now.

This can be a big security risk, and the option will be removed
completely in PHP 6.

--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attgl obal.net
=============== ===

Looks like you might have had register globals on on the old server,
did you code in
$username = $_GET['username'];
or similar before your example line- If not, then you had Register
Globals On, which is a bad thing. R.G. may be convenient but it also
opens you up to a bunch of security issues.

My suggestion is to at least put in the $_GET[] lines in the beginning
to read in the data. ( $username = $_GET['username']; ) Or better
write some sanitizing functions in your common function library like:
// Process a $_GET Value
function readGet($item) {
$value = '';
if( isset($_GET[$item])) {
$value = $_GET[$item];
$value = cleanValue($val ue);
return $value;
}
}

// Sanitize foreign data - only allow what is needed (use this where
needed, reading GETs, POSTs, COOKIEs or foreign DB/file data.)

function cleanValue($str ing) {
$string = preg_replace( '/[^a-zA-Z0-9$,.:+?%\(\)\/\'@"\-_\s]/',
'', $string );
return $string;
}

Then in your code you would use

$username = readGet('userna me');

Which is way more secure (at least if it were displayed; though if it
references a file name or is part of a DB query or content then you
may want to read more on PHP security.)

This is a great start:
http://www.sitepoint.com/article/php-security-blunders

Good Luck

never heard of readGet(), google looks at me like I'm stupid

The Hajj wrote:

never heard of readGet(), google looks at me like I'm stupid

It's a function Larry gave you in his code. It's OK to use that if
that's the filtering you need (not everything should be filtered the
same way - i.e. numerics should be handled as numerics).

But at the very least you should test to ensure the array element is
set, i.e.

$username = isset($_GET['username']) ? $_GET['username'] : '';

The '' at the end can be replaced by null or any other default value you
want.

--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attgl obal.net
=============== ===

On Aug 5, 6:46*pm, Jerry Stuckle <jstuck...@attg lobal.netwrote:

The Hajj wrote:

never heard of readGet(), google looks at me like I'm stupid

It's a function Larry gave you in his code. *It's OK to use that if
that's the filtering you need (not everything should be filtered the
same way - i.e. numerics should be handled as numerics).

DOH!! Google was right! Dern Javascript is converting me to the dark
side. And good gawd I've got to finish reading Mastering regular
expressions. I think it would have been easier to tell him to use
$username = strip_tags($_GE T['username']);

The Hajj wrote:

On Aug 5, 6:46 pm, Jerry Stuckle <jstuck...@attg lobal.netwrote:

>The Hajj wrote:

>>never heard of readGet(), google looks at me like I'm stupid

It's a function Larry gave you in his code. It's OK to use that if
that's the filtering you need (not everything should be filtered the
same way - i.e. numerics should be handled as numerics).

DOH!! Google was right! Dern Javascript is converting me to the dark
side. And good gawd I've got to finish reading Mastering regular
expressions. I think it would have been easier to tell him to use
$username = strip_tags($_GE T['username']);

Which will give you an E_NOTICE if there is no 'username' element of the
$_GET array (hence the isset() call).

And while this will limit PHP insertion, it may not be what you want.
Better would be to use a regex or similar to check for invalid
characters in the username.

Also, you really DON'T want to change the data coming in - just accept
it or reject it. Otherwise the use may think he's using one username
when he's really gotten another.

--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attgl obal.net
=============== ===

Ah yes the regular expression(as simple as it is!) makes sense now,
notices no < {} [] & etc I've forgotten all about
E_NOTICE(Javasc ript'n lately!). I've been getting use to change data
as I deal with alot of forms and processing user junk so that didn't
even come to mind.