Parameters in PHP

"Jeff Gaines" <jg************@yahoo.co.ukwrote in
news:xn****************@news.individual.net:

They don't work as they are but I can get the parameters by using
$_GET['id'] or sometimes $_POST['id'].

Is this a result of different versions of php (I am using v5) where
behaviour has changed or is it something else that is going completely
over my head because I am so new to this?

It's a change in the way PHP is set up; In PHP 3 (and possibly early
versions of 4?), "register_globals" was set to "on", which meant that you
didn't have to specify any variables before hand - they were created when
you asked for them.

Most PHP installations now have "register_globals" set to Off, and scripts
like the one you posted will be in trouble unless they're modified like
you've done above. That kind of script is understandable if written before
2002, but really is incredibly bad practice created done afterwards.
http://ca.php.net/register_globals

"Jeff Gaines" <jg************@yahoo.co.ukwrote in message
news:xn****************@news.individual.net...

>I have down-loaded several php scripts and am working my way through them
as part of my learning process. I have noticed situations like this:

mysql_query("DELETE FROM $table WHERE id=$id",$db);

where scripts have been called from another script/page with a parameter -
i.e. 'id' is a parameter that is not defined in the script before the
above line is called.

They don't work as they are but I can get the parameters by using
$_GET['id'] or sometimes $_POST['id'].

Is this a result of different versions of php (I am using v5) where
behaviour has changed or is it something else that is going completely
over my head because I am so new to this?

Many thanks.

Yes, it is because you are so new to this.

The $id is a variable called $id and contains the value you want for the id.
How you get it can be from any of the ways that you set a value for a
variable in php. These include the get, post, or simply setting it to
something or calculating it from something. It is totally independent of
the mysql call (and has to have been set first).

The $db is the variable that contains the connection to the database
obtained from a mysql_connect or a mysql_pconnect call.

These are in php4 and, I assume, from the earliest versions of php (I was
not doing php at that time).

Look at www.w3schools.com for a good tutorial on php (and many other
things). Also, look at www.php.net for just about everything you need in
php.

Good luck and we are here to help you get off the ground.

Shelly

"Good Man" <he***@letsgo.comwrote in message
news:Xn************************@216.196.97.131...

"Jeff Gaines" <jg************@yahoo.co.ukwrote in
news:xn****************@news.individual.net:

>They don't work as they are but I can get the parameters by using
$_GET['id'] or sometimes $_POST['id'].

Is this a result of different versions of php (I am using v5) where
behaviour has changed or is it something else that is going completely
over my head because I am so new to this?

It's a change in the way PHP is set up; In PHP 3 (and possibly early
versions of 4?), "register_globals" was set to "on", which meant that you
didn't have to specify any variables before hand - they were created when
you asked for them.

Most PHP installations now have "register_globals" set to Off, and scripts
like the one you posted will be in trouble unless they're modified like
you've done above. That kind of script is understandable if written
before
2002, but really is incredibly bad practice created done afterwards.
http://ca.php.net/register_globals

Good point! I didn't catch that when I tried to help him. I thought he had
confusion about the mysql call and what the variables were. I misread his
question.

Shelly

In our last episode, <xn****************@news.individual.net>, the lovely
and talented Jeff Gaines broadcast on comp.lang.php:

I have down-loaded several php scripts and am working my way through them
as part of my learning process. I have noticed situations like this:

mysql_query("DELETE FROM $table WHERE id=$id",$db);

where scripts have been called from another script/page with a parameter -
i.e. 'id' is a parameter that is not defined in the script before the
above line is called.

They don't work as they are but I can get the parameters by using
$_GET['id'] or sometimes $_POST['id'].

Is this a result of different versions of php (I am using v5) where
behaviour has changed or is it something else that is going completely
over my head because I am so new to this?

It is not entirely clear by "They don't work" whether your problem is how
the parameters are (should be) passed or with executing a mysql query. So
it is rather to the point how they fail to work. Could you clarify that a
little?

There is no necessary connection between $_POST['id'] (or $_GET['id'])
and $id. If $id doesn't get a value somewhere, perhaps passed as a
parameter, it will have an empty value. This is not really nonsense as
you might well want to delete rows with an empty id field, but if this kind
of clean-up is wanted, it should be done in a more straightforward way with
a instruction as potentially dangerous as DELETE. (And of course, setting
up a table in which a field called 'id' could ever acquire and empty value
would be fairly perverse.

So for this query to be likely, somewhere $id would have to be assigned.

This might be:

$id = <something>;

or

$foo = some_function(<something>);

where some_function is defined:

some_function($id){
....
return $bar;
}

or

some_function(){
$id = func_get_arg(0);
....
return $bar;
}

On the other hand, if "They don't work" has to do with the query failing, I
suppose I should mention that mysql_query() will not work without a database
connection. If it isn't given a connection, it will try to use a previous
connection, and failing that it will try to establish one with mysql_connect
without parameters, a last ditch effort almost certain to fail in real-world
situations.

--
Lars Eighner <http://larseighner.com/ <http://myspace.com/larseighner>
Countdown: 454 days to go.
What do you do when you're debranded?

On 23/10/2007 in message
<sl********************@debranded.larseighner.comL ars Eighner wrote:

>In our last episode, <xn****************@news.individual.net>, the lovely
and talented Jeff Gaines broadcast on comp.lang.php:

[snipped]

Many thanks Good Man, Shelly & Lars, I picked Lars' post to reply to as he
has this knack of describing me so well :-)

I think Good Man has probably hit it on the head, this is old code I am
looking at which probably will have worked with earlier versions of php. I
will continue using $_GET['id'] and $_POST['id'] as this seems to be how
to do it now.

Hopefully as I learn I will be able to ask my questions more clearly, at
the moment I am struggling a bit to understand exactly what it is I need
to ask :-)

Thanks again!

--
Jeff Gaines Damerham Hampshire UK
Tell me what you need, and I'll tell you how to get along without it.

"Jeff Gaines" <jg************@yahoo.co.ukwrote in
news:xn****************@news.individual.net:

I think Good Man has probably hit it on the head, this is old code I
am looking at which probably will have worked with earlier versions of
php. I will continue using $_GET['id'] and $_POST['id'] as this seems
to be how to do it now.

Just as an FYI, presuming your code doesn't have any security holes related
to register_globals (ie: if($authorized) { revealSecrets(); } ) then you
can turn the register_globals directive "ON" in php.ini and have that nasty
ol' site work correctly.... admin beware :)

..oO(Jeff Gaines)

>I think Good Man has probably hit it on the head, this is old code I am
looking at which probably will have worked with earlier versions of php. I
will continue using $_GET['id'] and $_POST['id'] as this seems to be how
to do it now.

An addition: If a user-submitted value is used directly in a query
without any validation as it seems to be in this case, then it's very
easy for an attacker to empty the entire table. Read about SQL injection
and how to prevent it.

Micha

Greetings, Jeff Gaines.
In reply to Your message dated Tuesday, October 23, 2007, 19:51:16,

JGI have down-loaded several php scripts and am working my way through them
JGas part of my learning process. I have noticed situations like this:

JGmysql_query("DELETE FROM $table WHERE id=$id",$db);

JGwhere scripts have been called from another script/page with a parameter -
JGi.e. 'id' is a parameter that is not defined in the script before the
JGabove line is called.

JGThey don't work as they are but I can get the parameters by using
JG$_GET['id'] or sometimes $_POST['id'].

It is bad, very bad idea to trust somethig entered by user.
Example?
You have code

"SELECT user_id FROM users WHERE user_name = '{$_POST['name']}' AND user_password = MD5('{$_POST['password']})"

Then I submit the form

name="admin' --"
password="any"

Et voila.. I'm authorized as admin of Your website.
--
Sincerely Yours, AnrDaemon <an*******@freemail.ru>

On 24/10/2007 in message <11***********************@freemail.ruAnrDaemon
wrote:

>It is bad, very bad idea to trust somethig entered by user.

I take your point - I am doing this as a hobby at home on my own network
so I have only to protect me from myself :-)

--
Jeff Gaines Damerham Hampshire UK
This is as bad as it can get, but don't bet on it