smilemaster wrote:
I have recently started experiencing form data loss. Here is an
example:
and Marian Heddesheimer replied:i suppose you have turned off "register_globals" in your php.ini
smile: Marian's answer is almost certainly the correct one. Especially
since you report that this is something you "recently started
experiencing". Check with your server admin and ask if they recently
upgraded the machine to a newer version of php or whatever unix flavor
os it's (presumably) got. I believe that php 4.2.0 was the first
revision where register_globals is turned off by default.
I discovered this the hard way by working through a Wrox book on php.
register_globals is a php.ini setting that allows all variable values
passed through either forms or urls to be recognized as global variables
by default. Well, this creates all sorts of security problems which is
why it's normally recommended that you turn this feature *off* in the
php.ini. When you do this, it means that if you want to access a value
passed through a form field, you must access it through either the POST
or REQUEST global arrays, and if you want to access a value passed
through a url, you must access it through either the GET or REQUEST
global arrays, thus:
//value passed through form field text box named 'myfield'
$myvalue=$_POST['myfield'];
//value passed through url, i.e.,
//"http://www.myurl.net/test.php?myfield=myvalue"
$myvalue=$_GET['myfield'];
Not only that, but if you need to pass any values acquired in this
manner to a function, they need to be explicitly declared as global
within the function, thus:
function myFunctionName () {
global $myvalue;
}
See the following errata page from Wrox for an explanation (refer to the
second entry on the errata listing):
http://www.wrox.com/books/errata/076...4_errata.shtml
Also see the following documentation on
www.php.net (be sure to scroll
to the bottom of the page to the section headed 'SECURITY: NEW INPUT
MECHANISM'):
http://www.php.net/release_4_1_0.php
Also see this page and refer to the big box headed 'Warning':
http://us4.php.net/variables.predefined
As you can see, as of revision 4.2.0, register_globals is turned *off*
by default, and you absolutely should leave it that way. Just revise
your code per the examples above.