I need to do some modifications on some code I just inherited and that
code has me baffled.
On one page, caller.php, with method get there is an anchor with
href="foo.php?b ar=123". On foo.php, the URL shows the parameter. So
far, so good.
In foo.php there is no $_GET statement to decipher the value from bar.
Furthermore, I did a grep of the entire code base for $_GET and for
$_REQUEST and there was none. The code then proceeds to test on $bar
and use its value to build an sql statement. (There are other
parameters that could have been put into the URL such as bar1, bar2,
etc. and these are all tested in building the proper sql statement).
This app uses globals. I did a grep of the entire codebase for global
and didn't find bar, bar1, etc.
The question I have is "how could the invoked page get the value of the
url parameters without having used a $_GET or a $_REQUEST?". 17 1867
On 28 Aug, 12:33, sheldonlg <sheldonlgwrote :
I need to do some modifications on some code I just inherited and that
code has me baffled.
On one page, caller.php, with method get there is an anchor with
href="foo.php?b ar=123". *On foo.php, the URL shows the parameter. *So
far, so good.
In foo.php there is no $_GET statement to decipher the value from bar.
Furthermore, I did a grep of the entire code base for $_GET and for
$_REQUEST and there was none. *The code then proceeds to test on $bar
and use its value to build an sql statement. *(There are other
parameters that could have been put into the URL such as bar1, bar2,
etc. and these are all tested in building the proper sql statement).
This app uses globals. *I did a grep of the entire codebase for global
and didn't find bar, bar1, etc.
The question I have is "how could the invoked page get the value of the
url parameters without having used a $_GET or a $_REQUEST?".
register_global s
I'm surprised you haven't noticed the many discussions of this.
Captain Paralytic wrote:
On 28 Aug, 12:33, sheldonlg <sheldonlgwrote :
>I need to do some modifications on some code I just inherited and that code has me baffled.
On one page, caller.php, with method get there is an anchor with href="foo.php? bar=123". On foo.php, the URL shows the parameter. So far, so good.
In foo.php there is no $_GET statement to decipher the value from bar. Furthermore, I did a grep of the entire code base for $_GET and for $_REQUEST and there was none. The code then proceeds to test on $bar and use its value to build an sql statement. (There are other parameters that could have been put into the URL such as bar1, bar2, etc. and these are all tested in building the proper sql statement).
This app uses globals. I did a grep of the entire codebase for global and didn't find bar, bar1, etc.
The question I have is "how could the invoked page get the value of the url parameters without having used a $_GET or a $_REQUEST?".
register_global s
I'm surprised you haven't noticed the many discussions of this.
Well, I never use globals. I only use $_SESSION. Also, I always
decipher my variables via $_GET or $_POST, so I never paid much
attention to register_global s. Everyone always said it was a bad thing
to do, and the manual even says that it is dangerous and subject to
injection.
Are you saying by your one word answer that if the url has ?bar=123 that
register_global s will produce a variable named $bar having a value of
'123', but that a test on variable $bar1 will be 'false"? I didn't see
that in the manual (admittedly, I may not have found it).
sheldonlg wrote:
Captain Paralytic wrote:
>On 28 Aug, 12:33, sheldonlg <sheldonlgwrote :
>>I need to do some modifications on some code I just inherited and that code has me baffled.
On one page, caller.php, with method get there is an anchor with href="foo.php ?bar=123". On foo.php, the URL shows the parameter. So far, so good.
In foo.php there is no $_GET statement to decipher the value from bar. Furthermore , I did a grep of the entire code base for $_GET and for $_REQUEST and there was none. The code then proceeds to test on $bar and use its value to build an sql statement. (There are other parameters that could have been put into the URL such as bar1, bar2, etc. and these are all tested in building the proper sql statement).
This app uses globals. I did a grep of the entire codebase for global and didn't find bar, bar1, etc.
The question I have is "how could the invoked page get the value of the url parameters without having used a $_GET or a $_REQUEST?".
register_globa ls
I'm surprised you haven't noticed the many discussions of this.
Well, I never use globals. I only use $_SESSION. Also, I always
decipher my variables via $_GET or $_POST, so I never paid much
attention to register_global s. Everyone always said it was a bad thing
to do, and the manual even says that it is dangerous and subject to
injection.
Are you saying by your one word answer that if the url has ?bar=123 that
register_global s will produce a variable named $bar having a value of
'123', but that a test on variable $bar1 will be 'false"? I didn't see
that in the manual (admittedly, I may not have found it).
No, a test in $bar will provide exactly the same result as if you said
$bar=123 and tested.
--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp. js*******@attgl obal.net
=============== ===
sheldonlg wrote:
Captain Paralytic wrote:
>On 28 Aug, 12:33, sheldonlg <sheldonlgwrote :
>>I need to do some modifications on some code I just inherited and that code has me baffled.
On one page, caller.php, with method get there is an anchor with href="foo.php ?bar=123". On foo.php, the URL shows the parameter. So far, so good.
In foo.php there is no $_GET statement to decipher the value from bar. Furthermore , I did a grep of the entire code base for $_GET and for $_REQUEST and there was none. The code then proceeds to test on $bar and use its value to build an sql statement. (There are other parameters that could have been put into the URL such as bar1, bar2, etc. and these are all tested in building the proper sql statement).
This app uses globals. I did a grep of the entire codebase for global and didn't find bar, bar1, etc.
The question I have is "how could the invoked page get the value of the url parameters without having used a $_GET or a $_REQUEST?".
register_globa ls
I'm surprised you haven't noticed the many discussions of this.
Well, I never use globals. I only use $_SESSION. Also, I always
decipher my variables via $_GET or $_POST, so I never paid much
attention to register_global s. Everyone always said it was a bad thing
to do, and the manual even says that it is dangerous and subject to
injection.
Are you saying by your one word answer that if the url has ?bar=123 that
register_global s will produce a variable named $bar having a value of
'123', but that a test on variable $bar1 will be 'false"? I didn't see
that in the manual (admittedly, I may not have found it).
I just did a google of "register_globa ls url". It turned up two
threads, this one and one from 2003. It seems my answer is in that
thread. Thanks.
sheldonlg schreef:
I need to do some modifications on some code I just inherited and that
code has me baffled.
On one page, caller.php, with method get there is an anchor with
href="foo.php?b ar=123". On foo.php, the URL shows the parameter. So
far, so good.
In foo.php there is no $_GET statement to decipher the value from bar.
Furthermore, I did a grep of the entire code base for $_GET and for
$_REQUEST and there was none. The code then proceeds to test on $bar
and use its value to build an sql statement. (There are other
parameters that could have been put into the URL such as bar1, bar2,
etc. and these are all tested in building the proper sql statement).
This app uses globals. I did a grep of the entire codebase for global
and didn't find bar, bar1, etc.
The question I have is "how could the invoked page get the value of the
url parameters without having used a $_GET or a $_REQUEST?".
Hi Sheldong,
Many possibilities.
My bet is that register_global s could be on, which is bad.
In that case a variable with the name $bar is automagically created from
the GET, POST, etc.
Simply check your php.ini or use phpinfo() to see if register_global s is on.
Also, try this above in your foo.php:
echo "<pre>";
print_r($_SERVE R);
echo "</pre>";
You'll probably see QUERY_STRING with a value.
Maybe they use that one?
Regards,
Erwin Moller
--
=============== =============
Erwin Moller
Now dropping all postings from googlegroups.
Why? http://improve-usenet.org/
=============== =============
sheldonlg wrote:
sheldonlg wrote:
>Captain Paralytic wrote:
>>On 28 Aug, 12:33, sheldonlg <sheldonlgwrote : I need to do some modifications on some code I just inherited and that code has me baffled.
On one page, caller.php, with method get there is an anchor with href="foo.ph p?bar=123". On foo.php, the URL shows the parameter. So far, so good.
In foo.php there is no $_GET statement to decipher the value from bar. Furthermor e, I did a grep of the entire code base for $_GET and for $_REQUEST and there was none. The code then proceeds to test on $bar and use its value to build an sql statement. (There are other parameters that could have been put into the URL such as bar1, bar2, etc. and these are all tested in building the proper sql statement).
This app uses globals. I did a grep of the entire codebase for global and didn't find bar, bar1, etc.
The question I have is "how could the invoked page get the value of the url parameters without having used a $_GET or a $_REQUEST?".
register_glob als
I'm surprised you haven't noticed the many discussions of this.
Well, I never use globals. I only use $_SESSION. Also, I always decipher my variables via $_GET or $_POST, so I never paid much attention to register_global s. Everyone always said it was a bad thing to do, and the manual even says that it is dangerous and subject to injection.
Are you saying by your one word answer that if the url has ?bar=123 that register_global s will produce a variable named $bar having a value of '123', but that a test on variable $bar1 will be 'false"? I didn't see that in the manual (admittedly, I may not have found it).
I just did a google of "register_globa ls url". It turned up two
threads, this one and one from 2003. It seems my answer is in that
thread. Thanks.
Try just searching this newsgroup on register_global s. You'll get a lot
of hits.
--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp. js*******@attgl obal.net
=============== ===
Jerry Stuckle wrote:
sheldonlg wrote:
>Captain Paralytic wrote:
>>On 28 Aug, 12:33, sheldonlg <sheldonlgwrote : I need to do some modifications on some code I just inherited and that code has me baffled.
On one page, caller.php, with method get there is an anchor with href="foo.ph p?bar=123". On foo.php, the URL shows the parameter. So far, so good.
In foo.php there is no $_GET statement to decipher the value from bar. Furthermor e, I did a grep of the entire code base for $_GET and for $_REQUEST and there was none. The code then proceeds to test on $bar and use its value to build an sql statement. (There are other parameters that could have been put into the URL such as bar1, bar2, etc. and these are all tested in building the proper sql statement).
This app uses globals. I did a grep of the entire codebase for global and didn't find bar, bar1, etc.
The question I have is "how could the invoked page get the value of the url parameters without having used a $_GET or a $_REQUEST?".
register_glob als
I'm surprised you haven't noticed the many discussions of this.
Well, I never use globals. I only use $_SESSION. Also, I always decipher my variables via $_GET or $_POST, so I never paid much attention to register_global s. Everyone always said it was a bad thing to do, and the manual even says that it is dangerous and subject to injection.
Are you saying by your one word answer that if the url has ?bar=123 that register_global s will produce a variable named $bar having a value of '123', but that a test on variable $bar1 will be 'false"? I didn't see that in the manual (admittedly, I may not have found it).
No, a test in $bar will provide exactly the same result as if you said
$bar=123 and tested.
Jerry, I think you may have misread what I wrote. I said a test of
$bar1, not $bar, would be false. Anyway, I have my answer now thanks to
the Captain. (though I have been programming for forty years, I only
learned PHP about 5 years ago -- after the time when register_global s
was set to off and $_GET was firmly in place.)
On 28 Aug, 13:04, sheldonlg <sheldonlgwrote :
I only
learned PHP about 5 years ago -- after the time when register_global s
was set to off and $_GET was firmly in place
You're joking right?
There are still more servers out there with register_global s on than
there are with it off.
Captain Paralytic wrote:
On 28 Aug, 13:04, sheldonlg <sheldonlgwrote :
>I only learned PHP about 5 years ago -- after the time when register_global s was set to off and $_GET was firmly in place
You're joking right?
There are still more servers out there with register_global s on than
there are with it off.
I should have qualified that. I should have said "was set to off by
default". Anyway, all my work has been on just a few servers. On the
two I do work on now, it turns out that both have it set to "on:". On
one of them, I only write new code and I always use $_POST and $_GET.
On the other, the one with the inherited code, I had only previously
written new code and never passed any parameters in the URL (it was an
AJAX framework). That is why in these five years I have never
encountered this problem. This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics |
by: Thomas Carcaud |
last post by:
I read php manual many times but I can't figure out register_globals
works. I m using Php 4.3.2 and register_globals on. It seems to have
different effects on $_GET and $_SESSION. First with $_GET :
<? echo $var."\n";
echo $_GET."\n";
$var="gna";
echo $var."\n";
echo $_GET."\n";
$_GET="gnou";
|
by: carramba |
last post by:
Hi!
Tahnx for taking time and reading!
This script should load default page and default stylesheet, but its
only loads default page, you have to actualy click on the style link
to load style...
but I dont understand why! It started when I "compresed" script and
addet $_GET in the same "if" set... but it shoudent by eny
problem...
|
by: Dan |
last post by:
I was trying to troubleshoot a login page that doesn't work - it keeps
saying the login/password is missing - when my tracing discovered this
peculiar behavior.
register_globals is off, so at the top of my script I assign a few
variables to incoming GET and POST values.
$login = clean($_POST, 30);
$passwd = clean($_POST, 30);
|
by: Nuno Paquete |
last post by:
Hi group.
I'm using this code to see if is there any parameter for variable "menu":
if($_GET == "downloads")
....
But this code log errors if there is no parameter passed (this heappens at
the first time the page is loaded).
I tryed this code:
|
by: meltedown |
last post by:
urlencode turns # into %23
When I sent it thru $_GET, it dissapears, along with anything that comes
after it.
for example:
urlencode turns
HOYDM_EXC_#4_NAT
into HOYDM_EXC_%234_NAT
When I use it in an url
| |
by: Georg Weiler |
last post by:
Hi,
I'm biting my nails on this for several days now, hope that someone of
you can help me...:
On my page, the user can display tables, created out of a database. So I
have several <a href> links to display the various tables. They all look
something like:
<a href=this_page.php?table=mytable1>the first table</a>
|
by: wouter |
last post by:
hey hi.....
I wanna make a switch wich does this:
if pagid is set do A,
if catid is set do B,
if projectid is set do C,
else do D.
So i was thinking something like this:
|
by: keeps21 |
last post by:
I have a script that recieves an id number via the address bar when a link is clicked.
ie . index.php?id=1 if the link was for the story whose ID is 1.
My script checks if a user is logged in, if not they are redirected to the login page.
If logged in they may edit the story.
I assign $_GET to $id.
|
by: printline |
last post by:
Hello
I have a problem which i hope someone can help me with. I have a website where customers can login and their current and previous orders.
What i need now is for the customers to look through their orders. I kind of already have a script for this:
$recordcount = mssql_num_rows($result);
$pagecount = $recordcount / $displayPerPage;
$r = fmod($recordcount, $displayPerPage);
if ($r > 0) {
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
| |
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
|
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |