By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
438,215 Members | 1,005 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 438,215 IT Pros & Developers. It's quick & easy.

Baffled by no $_GET

P: n/a
I need to do some modifications on some code I just inherited and that
code has me baffled.

On one page, caller.php, with method get there is an anchor with
href="foo.php?bar=123". On foo.php, the URL shows the parameter. So
far, so good.

In foo.php there is no $_GET statement to decipher the value from bar.
Furthermore, I did a grep of the entire code base for $_GET and for
$_REQUEST and there was none. The code then proceeds to test on $bar
and use its value to build an sql statement. (There are other
parameters that could have been put into the URL such as bar1, bar2,
etc. and these are all tested in building the proper sql statement).

This app uses globals. I did a grep of the entire codebase for global
and didn't find bar, bar1, etc.

The question I have is "how could the invoked page get the value of the
url parameters without having used a $_GET or a $_REQUEST?".
Aug 28 '08 #1
Share this Question
Share on Google+
17 Replies


P: n/a
On 28 Aug, 12:33, sheldonlg <sheldonlgwrote:
I need to do some modifications on some code I just inherited and that
code has me baffled.

On one page, caller.php, with method get there is an anchor with
href="foo.php?bar=123". *On foo.php, the URL shows the parameter. *So
far, so good.

In foo.php there is no $_GET statement to decipher the value from bar.
Furthermore, I did a grep of the entire code base for $_GET and for
$_REQUEST and there was none. *The code then proceeds to test on $bar
and use its value to build an sql statement. *(There are other
parameters that could have been put into the URL such as bar1, bar2,
etc. and these are all tested in building the proper sql statement).

This app uses globals. *I did a grep of the entire codebase for global
and didn't find bar, bar1, etc.

The question I have is "how could the invoked page get the value of the
url parameters without having used a $_GET or a $_REQUEST?".
register_globals

I'm surprised you haven't noticed the many discussions of this.
Aug 28 '08 #2

P: n/a
Captain Paralytic wrote:
On 28 Aug, 12:33, sheldonlg <sheldonlgwrote:
>I need to do some modifications on some code I just inherited and that
code has me baffled.

On one page, caller.php, with method get there is an anchor with
href="foo.php?bar=123". On foo.php, the URL shows the parameter. So
far, so good.

In foo.php there is no $_GET statement to decipher the value from bar.
Furthermore, I did a grep of the entire code base for $_GET and for
$_REQUEST and there was none. The code then proceeds to test on $bar
and use its value to build an sql statement. (There are other
parameters that could have been put into the URL such as bar1, bar2,
etc. and these are all tested in building the proper sql statement).

This app uses globals. I did a grep of the entire codebase for global
and didn't find bar, bar1, etc.

The question I have is "how could the invoked page get the value of the
url parameters without having used a $_GET or a $_REQUEST?".

register_globals

I'm surprised you haven't noticed the many discussions of this.
Well, I never use globals. I only use $_SESSION. Also, I always
decipher my variables via $_GET or $_POST, so I never paid much
attention to register_globals. Everyone always said it was a bad thing
to do, and the manual even says that it is dangerous and subject to
injection.

Are you saying by your one word answer that if the url has ?bar=123 that
register_globals will produce a variable named $bar having a value of
'123', but that a test on variable $bar1 will be 'false"? I didn't see
that in the manual (admittedly, I may not have found it).
Aug 28 '08 #3

P: n/a
sheldonlg wrote:
Captain Paralytic wrote:
>On 28 Aug, 12:33, sheldonlg <sheldonlgwrote:
>>I need to do some modifications on some code I just inherited and that
code has me baffled.

On one page, caller.php, with method get there is an anchor with
href="foo.php?bar=123". On foo.php, the URL shows the parameter. So
far, so good.

In foo.php there is no $_GET statement to decipher the value from bar.
Furthermore, I did a grep of the entire code base for $_GET and for
$_REQUEST and there was none. The code then proceeds to test on $bar
and use its value to build an sql statement. (There are other
parameters that could have been put into the URL such as bar1, bar2,
etc. and these are all tested in building the proper sql statement).

This app uses globals. I did a grep of the entire codebase for global
and didn't find bar, bar1, etc.

The question I have is "how could the invoked page get the value of the
url parameters without having used a $_GET or a $_REQUEST?".

register_globals

I'm surprised you haven't noticed the many discussions of this.

Well, I never use globals. I only use $_SESSION. Also, I always
decipher my variables via $_GET or $_POST, so I never paid much
attention to register_globals. Everyone always said it was a bad thing
to do, and the manual even says that it is dangerous and subject to
injection.

Are you saying by your one word answer that if the url has ?bar=123 that
register_globals will produce a variable named $bar having a value of
'123', but that a test on variable $bar1 will be 'false"? I didn't see
that in the manual (admittedly, I may not have found it).
No, a test in $bar will provide exactly the same result as if you said
$bar=123 and tested.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================

Aug 28 '08 #4

P: n/a
sheldonlg wrote:
Captain Paralytic wrote:
>On 28 Aug, 12:33, sheldonlg <sheldonlgwrote:
>>I need to do some modifications on some code I just inherited and that
code has me baffled.

On one page, caller.php, with method get there is an anchor with
href="foo.php?bar=123". On foo.php, the URL shows the parameter. So
far, so good.

In foo.php there is no $_GET statement to decipher the value from bar.
Furthermore, I did a grep of the entire code base for $_GET and for
$_REQUEST and there was none. The code then proceeds to test on $bar
and use its value to build an sql statement. (There are other
parameters that could have been put into the URL such as bar1, bar2,
etc. and these are all tested in building the proper sql statement).

This app uses globals. I did a grep of the entire codebase for global
and didn't find bar, bar1, etc.

The question I have is "how could the invoked page get the value of the
url parameters without having used a $_GET or a $_REQUEST?".

register_globals

I'm surprised you haven't noticed the many discussions of this.

Well, I never use globals. I only use $_SESSION. Also, I always
decipher my variables via $_GET or $_POST, so I never paid much
attention to register_globals. Everyone always said it was a bad thing
to do, and the manual even says that it is dangerous and subject to
injection.

Are you saying by your one word answer that if the url has ?bar=123 that
register_globals will produce a variable named $bar having a value of
'123', but that a test on variable $bar1 will be 'false"? I didn't see
that in the manual (admittedly, I may not have found it).
I just did a google of "register_globals url". It turned up two
threads, this one and one from 2003. It seems my answer is in that
thread. Thanks.
Aug 28 '08 #5

P: n/a

sheldonlg schreef:
I need to do some modifications on some code I just inherited and that
code has me baffled.

On one page, caller.php, with method get there is an anchor with
href="foo.php?bar=123". On foo.php, the URL shows the parameter. So
far, so good.

In foo.php there is no $_GET statement to decipher the value from bar.
Furthermore, I did a grep of the entire code base for $_GET and for
$_REQUEST and there was none. The code then proceeds to test on $bar
and use its value to build an sql statement. (There are other
parameters that could have been put into the URL such as bar1, bar2,
etc. and these are all tested in building the proper sql statement).

This app uses globals. I did a grep of the entire codebase for global
and didn't find bar, bar1, etc.

The question I have is "how could the invoked page get the value of the
url parameters without having used a $_GET or a $_REQUEST?".
Hi Sheldong,

Many possibilities.
My bet is that register_globals could be on, which is bad.
In that case a variable with the name $bar is automagically created from
the GET, POST, etc.
Simply check your php.ini or use phpinfo() to see if register_globals is on.

Also, try this above in your foo.php:
echo "<pre>";
print_r($_SERVER);
echo "</pre>";

You'll probably see QUERY_STRING with a value.
Maybe they use that one?

Regards,
Erwin Moller


--
============================
Erwin Moller
Now dropping all postings from googlegroups.
Why? http://improve-usenet.org/
============================
Aug 28 '08 #6

P: n/a
sheldonlg wrote:
sheldonlg wrote:
>Captain Paralytic wrote:
>>On 28 Aug, 12:33, sheldonlg <sheldonlgwrote:
I need to do some modifications on some code I just inherited and that
code has me baffled.

On one page, caller.php, with method get there is an anchor with
href="foo.php?bar=123". On foo.php, the URL shows the parameter. So
far, so good.

In foo.php there is no $_GET statement to decipher the value from bar.
Furthermore, I did a grep of the entire code base for $_GET and for
$_REQUEST and there was none. The code then proceeds to test on $bar
and use its value to build an sql statement. (There are other
parameters that could have been put into the URL such as bar1, bar2,
etc. and these are all tested in building the proper sql statement).

This app uses globals. I did a grep of the entire codebase for global
and didn't find bar, bar1, etc.

The question I have is "how could the invoked page get the value of the
url parameters without having used a $_GET or a $_REQUEST?".

register_globals

I'm surprised you haven't noticed the many discussions of this.

Well, I never use globals. I only use $_SESSION. Also, I always
decipher my variables via $_GET or $_POST, so I never paid much
attention to register_globals. Everyone always said it was a bad
thing to do, and the manual even says that it is dangerous and subject
to injection.

Are you saying by your one word answer that if the url has ?bar=123
that register_globals will produce a variable named $bar having a
value of '123', but that a test on variable $bar1 will be 'false"? I
didn't see that in the manual (admittedly, I may not have found it).

I just did a google of "register_globals url". It turned up two
threads, this one and one from 2003. It seems my answer is in that
thread. Thanks.
Try just searching this newsgroup on register_globals. You'll get a lot
of hits.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================

Aug 28 '08 #7

P: n/a
Jerry Stuckle wrote:
sheldonlg wrote:
>Captain Paralytic wrote:
>>On 28 Aug, 12:33, sheldonlg <sheldonlgwrote:
I need to do some modifications on some code I just inherited and that
code has me baffled.

On one page, caller.php, with method get there is an anchor with
href="foo.php?bar=123". On foo.php, the URL shows the parameter. So
far, so good.

In foo.php there is no $_GET statement to decipher the value from bar.
Furthermore, I did a grep of the entire code base for $_GET and for
$_REQUEST and there was none. The code then proceeds to test on $bar
and use its value to build an sql statement. (There are other
parameters that could have been put into the URL such as bar1, bar2,
etc. and these are all tested in building the proper sql statement).

This app uses globals. I did a grep of the entire codebase for global
and didn't find bar, bar1, etc.

The question I have is "how could the invoked page get the value of the
url parameters without having used a $_GET or a $_REQUEST?".

register_globals

I'm surprised you haven't noticed the many discussions of this.

Well, I never use globals. I only use $_SESSION. Also, I always
decipher my variables via $_GET or $_POST, so I never paid much
attention to register_globals. Everyone always said it was a bad
thing to do, and the manual even says that it is dangerous and subject
to injection.

Are you saying by your one word answer that if the url has ?bar=123
that register_globals will produce a variable named $bar having a
value of '123', but that a test on variable $bar1 will be 'false"? I
didn't see that in the manual (admittedly, I may not have found it).

No, a test in $bar will provide exactly the same result as if you said
$bar=123 and tested.
Jerry, I think you may have misread what I wrote. I said a test of
$bar1, not $bar, would be false. Anyway, I have my answer now thanks to
the Captain. (though I have been programming for forty years, I only
learned PHP about 5 years ago -- after the time when register_globals
was set to off and $_GET was firmly in place.)
Aug 28 '08 #8

P: n/a
On 28 Aug, 13:04, sheldonlg <sheldonlgwrote:
I only
learned PHP about 5 years ago -- after the time when register_globals
was set to off and $_GET was firmly in place
You're joking right?

There are still more servers out there with register_globals on than
there are with it off.
Aug 28 '08 #9

P: n/a
Captain Paralytic wrote:
On 28 Aug, 13:04, sheldonlg <sheldonlgwrote:
>I only
learned PHP about 5 years ago -- after the time when register_globals
was set to off and $_GET was firmly in place

You're joking right?

There are still more servers out there with register_globals on than
there are with it off.
I should have qualified that. I should have said "was set to off by
default". Anyway, all my work has been on just a few servers. On the
two I do work on now, it turns out that both have it set to "on:". On
one of them, I only write new code and I always use $_POST and $_GET.
On the other, the one with the inherited code, I had only previously
written new code and never passed any parameters in the URL (it was an
AJAX framework). That is why in these five years I have never
encountered this problem.
Aug 28 '08 #10

P: n/a
sheldonlg wrote:
Jerry Stuckle wrote:
>sheldonlg wrote:
>>Captain Paralytic wrote:
On 28 Aug, 12:33, sheldonlg <sheldonlgwrote:
I need to do some modifications on some code I just inherited and that
code has me baffled.
>
On one page, caller.php, with method get there is an anchor with
href="foo.php?bar=123". On foo.php, the URL shows the parameter. So
far, so good.
>
In foo.php there is no $_GET statement to decipher the value from bar.
Furthermore, I did a grep of the entire code base for $_GET and for
$_REQUEST and there was none. The code then proceeds to test on $bar
and use its value to build an sql statement. (There are other
parameters that could have been put into the URL such as bar1, bar2,
etc. and these are all tested in building the proper sql statement).
>
This app uses globals. I did a grep of the entire codebase for global
and didn't find bar, bar1, etc.
>
The question I have is "how could the invoked page get the value of
the
url parameters without having used a $_GET or a $_REQUEST?".

register_globals

I'm surprised you haven't noticed the many discussions of this.

Well, I never use globals. I only use $_SESSION. Also, I always
decipher my variables via $_GET or $_POST, so I never paid much
attention to register_globals. Everyone always said it was a bad
thing to do, and the manual even says that it is dangerous and
subject to injection.

Are you saying by your one word answer that if the url has ?bar=123
that register_globals will produce a variable named $bar having a
value of '123', but that a test on variable $bar1 will be 'false"? I
didn't see that in the manual (admittedly, I may not have found it).

No, a test in $bar will provide exactly the same result as if you said
$bar=123 and tested.

Jerry, I think you may have misread what I wrote. I said a test of
$bar1, not $bar, would be false. Anyway, I have my answer now thanks to
the Captain. (though I have been programming for forty years, I only
learned PHP about 5 years ago -- after the time when register_globals
was set to off and $_GET was firmly in place.)
Ah, yes, I did miss that point.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================

Aug 28 '08 #11

P: n/a
<comp.lang.php>
<Jerry Stuckle>
<Thu, 28 Aug 2008 09:53:48 -0400>
<g9**********@registered.motzarella.org>
Ah, yes, I did miss that point.
How long do you have left as a mortal - as one assumes you now feel
obliged to commit hari kari .

Will there be live webcam footage of the event ? .
--
www.phpguestbook.co.uk/phpgb
(the best php guestbook on planet earth)
Aug 28 '08 #12

P: n/a

PHPGB schreef:
<comp.lang.php>
<Jerry Stuckle>
<Thu, 28 Aug 2008 09:53:48 -0400>
<g9**********@registered.motzarella.org>
>Ah, yes, I did miss that point.

How long do you have left as a mortal - as one assumes you now feel
obliged to commit hari kari .

Will there be live webcam footage of the event ? .

Why are you behaving so agressive PHPGB?
Jerry says he made a mistake, and you ask him to commit suicide over it?
What is wrong with you?

Erwin Moller
--
============================
Erwin Moller
Now dropping all postings from googlegroups.
Why? http://improve-usenet.org/
============================
Aug 28 '08 #13

P: n/a
Message-ID: <48*********************@news.xs4all.nlfrom Erwin Moller
contained the following:
>
>Will there be live webcam footage of the event ? .


Why are you behaving so agressive PHPGB?
I object to him being PHPGB . I should be the only PHPGB round here.

--
Geoff Berrow 0110001001101100010000000110
001101101011011001000110111101100111001011
100110001101101111001011100111010101101011
http://slipperyhill.co.uk - http://4theweb.co.uk
Aug 28 '08 #14

P: n/a
On Thu, 28 Aug 2008 16:24:19 +0200, Erwin Moller
<Si******************************************@spam yourself.comwrote:
>
PHPGB schreef:
><comp.lang.php>
<Jerry Stuckle>
<Thu, 28 Aug 2008 09:53:48 -0400>
<g9**********@registered.motzarella.org>
>>Ah, yes, I did miss that point.

How long do you have left as a mortal - as one assumes you now feel
obliged to commit hari kari .

Will there be live webcam footage of the event ? .


Why are you behaving so agressive PHPGB?
PHPGB = Krusty
What do you expect?
--
Regards, Paul Herber, Sandrila Ltd.
http://www.sandrila.co.uk/ http://www.pherber.com/
Aug 28 '08 #15

P: n/a
<comp.lang.php>
<Erwin Moller>
<Thu, 28 Aug 2008 18:05:04 +0200>
<48*********************@news.xs4all.nl>
In your case: You probably hitted the roof of your ability building a
guestbook in PHP
Is that a insult ? .

I thought you where against such things being posted to CLP .
--
www.phpguestbook.co.uk/phpgb
(the best php guestbook on planet earth)
Aug 28 '08 #16

P: n/a
Erwin Moller wrote:
>
sheldonlg schreef:
>I need to do some modifications on some code I just inherited and that
code has me baffled.

On one page, caller.php, with method get there is an anchor with
href="foo.php?bar=123". On foo.php, the URL shows the parameter. So
far, so good.

In foo.php there is no $_GET statement to decipher the value from bar.
Furthermore, I did a grep of the entire code base for $_GET and for
$_REQUEST and there was none. The code then proceeds to test on $bar
and use its value to build an sql statement. (There are other
parameters that could have been put into the URL such as bar1, bar2,
etc. and these are all tested in building the proper sql statement).

This app uses globals. I did a grep of the entire codebase for global
and didn't find bar, bar1, etc.

The question I have is "how could the invoked page get the value of
the url parameters without having used a $_GET or a $_REQUEST?".

Hi Sheldong,

Many possibilities.
My bet is that register_globals could be on, which is bad.
Being a newbie, I was unfamiliar with that.

My first reaction to learning of this was that this could create some
real problems as it could step on your own variables and that could be
done just by someone adding onto the query string. Am I wrong here?

Is this a commonly set configuration? Sounds like the same genius who
thought up addslashes.

Jeff
In that case a variable with the name $bar is automagically created from
the GET, POST, etc.
Simply check your php.ini or use phpinfo() to see if register_globals is
on.

Also, try this above in your foo.php:
echo "<pre>";
print_r($_SERVER);
echo "</pre>";

You'll probably see QUERY_STRING with a value.
Maybe they use that one?

Regards,
Erwin Moller

Aug 29 '08 #17

P: n/a
Jeff wrote:
Erwin Moller wrote:
>>
sheldonlg schreef:
>>I need to do some modifications on some code I just inherited and
that code has me baffled.

On one page, caller.php, with method get there is an anchor with
href="foo.php?bar=123". On foo.php, the URL shows the parameter. So
far, so good.

In foo.php there is no $_GET statement to decipher the value from
bar. Furthermore, I did a grep of the entire code base for $_GET and
for $_REQUEST and there was none. The code then proceeds to test on
$bar and use its value to build an sql statement. (There are other
parameters that could have been put into the URL such as bar1, bar2,
etc. and these are all tested in building the proper sql statement).

This app uses globals. I did a grep of the entire codebase for
global and didn't find bar, bar1, etc.

The question I have is "how could the invoked page get the value of
the url parameters without having used a $_GET or a $_REQUEST?".

Hi Sheldong,

Many possibilities.
My bet is that register_globals could be on, which is bad.

Being a newbie, I was unfamiliar with that.

My first reaction to learning of this was that this could create some
real problems as it could step on your own variables and that could be
done just by someone adding onto the query string. Am I wrong here?

Is this a commonly set configuration? Sounds like the same genius who
thought up addslashes.

Jeff
>In that case a variable with the name $bar is automagically created
from the GET, POST, etc.
Simply check your php.ini or use phpinfo() to see if register_globals
is on.

Also, try this above in your foo.php:
echo "<pre>";
print_r($_SERVER);
echo "</pre>";

You'll probably see QUERY_STRING with a value.
Maybe they use that one?

Regards,
Erwin Moller

It's not a common configuration any more, but it used to be the default
for PHP (back in the 4.0 and before days).

And yes, it can be a problem. However, if you always initialize your
variables before you use them, it's not as much of a problem.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================

Aug 29 '08 #18

This discussion thread is closed

Replies have been disabled for this discussion.