I need to do some modifications on some code I just inherited and that
code has me baffled.
On one page, caller.php, with method get there is an anchor with
href="foo.php?bar=123". On foo.php, the URL shows the parameter. So
far, so good.
In foo.php there is no $_GET statement to decipher the value from bar.
Furthermore, I did a grep of the entire code base for $_GET and for
$_REQUEST and there was none. The code then proceeds to test on $bar
and use its value to build an sql statement. (There are other
parameters that could have been put into the URL such as bar1, bar2,
etc. and these are all tested in building the proper sql statement).
This app uses globals. I did a grep of the entire codebase for global
and didn't find bar, bar1, etc.
The question I have is "how could the invoked page get the value of the
url parameters without having used a $_GET or a $_REQUEST?".
17  1852 
On 28 Aug, 12:33, sheldonlg <sheldonlgwrote:
I need to do some modifications on some code I just inherited and that
code has me baffled.
On one page, caller.php, with method get there is an anchor with
href="foo.php?bar=123". *On foo.php, the URL shows the parameter. *So
far, so good.
In foo.php there is no $_GET statement to decipher the value from bar.
Furthermore, I did a grep of the entire code base for $_GET and for
$_REQUEST and there was none. *The code then proceeds to test on $bar
and use its value to build an sql statement. *(There are other
parameters that could have been put into the URL such as bar1, bar2,
etc. and these are all tested in building the proper sql statement).
This app uses globals. *I did a grep of the entire codebase for global
and didn't find bar, bar1, etc.
The question I have is "how could the invoked page get the value of the
url parameters without having used a $_GET or a $_REQUEST?".
register_globals
I'm surprised you haven't noticed the many discussions of this.
Captain Paralytic wrote:
On 28 Aug, 12:33, sheldonlg <sheldonlgwrote:
>I need to do some modifications on some code I just inherited and that
code has me baffled.
On one page, caller.php, with method get there is an anchor with
href="foo.php?bar=123". On foo.php, the URL shows the parameter. So
far, so good.
In foo.php there is no $_GET statement to decipher the value from bar.
Furthermore, I did a grep of the entire code base for $_GET and for
$_REQUEST and there was none. The code then proceeds to test on $bar
and use its value to build an sql statement. (There are other
parameters that could have been put into the URL such as bar1, bar2,
etc. and these are all tested in building the proper sql statement).
This app uses globals. I did a grep of the entire codebase for global
and didn't find bar, bar1, etc.
The question I have is "how could the invoked page get the value of the
url parameters without having used a $_GET or a $_REQUEST?".
register_globals
I'm surprised you haven't noticed the many discussions of this.
Well, I never use globals. I only use $_SESSION. Also, I always
decipher my variables via $_GET or $_POST, so I never paid much
attention to register_globals. Everyone always said it was a bad thing
to do, and the manual even says that it is dangerous and subject to
injection.
Are you saying by your one word answer that if the url has ?bar=123 that
register_globals will produce a variable named $bar having a value of
'123', but that a test on variable $bar1 will be 'false"? I didn't see
that in the manual (admittedly, I may not have found it).
sheldonlg wrote:
Captain Paralytic wrote:
>On 28 Aug, 12:33, sheldonlg <sheldonlgwrote:
>>I need to do some modifications on some code I just inherited and that
code has me baffled.
On one page, caller.php, with method get there is an anchor with
href="foo.php?bar=123". On foo.php, the URL shows the parameter. So
far, so good.
In foo.php there is no $_GET statement to decipher the value from bar.
Furthermore, I did a grep of the entire code base for $_GET and for
$_REQUEST and there was none. The code then proceeds to test on $bar
and use its value to build an sql statement. (There are other
parameters that could have been put into the URL such as bar1, bar2,
etc. and these are all tested in building the proper sql statement).
This app uses globals. I did a grep of the entire codebase for global
and didn't find bar, bar1, etc.
The question I have is "how could the invoked page get the value of the
url parameters without having used a $_GET or a $_REQUEST?".
register_globals
I'm surprised you haven't noticed the many discussions of this.
Well, I never use globals. I only use $_SESSION. Also, I always
decipher my variables via $_GET or $_POST, so I never paid much
attention to register_globals. Everyone always said it was a bad thing
to do, and the manual even says that it is dangerous and subject to
injection.
Are you saying by your one word answer that if the url has ?bar=123 that
register_globals will produce a variable named $bar having a value of
'123', but that a test on variable $bar1 will be 'false"? I didn't see
that in the manual (admittedly, I may not have found it).
No, a test in $bar will provide exactly the same result as if you said
$bar=123 and tested.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp. js*******@attglobal.net
==================
sheldonlg wrote:
Captain Paralytic wrote:
>On 28 Aug, 12:33, sheldonlg <sheldonlgwrote:
>>I need to do some modifications on some code I just inherited and that
code has me baffled.
On one page, caller.php, with method get there is an anchor with
href="foo.php?bar=123". On foo.php, the URL shows the parameter. So
far, so good.
In foo.php there is no $_GET statement to decipher the value from bar.
Furthermore, I did a grep of the entire code base for $_GET and for
$_REQUEST and there was none. The code then proceeds to test on $bar
and use its value to build an sql statement. (There are other
parameters that could have been put into the URL such as bar1, bar2,
etc. and these are all tested in building the proper sql statement).
This app uses globals. I did a grep of the entire codebase for global
and didn't find bar, bar1, etc.
The question I have is "how could the invoked page get the value of the
url parameters without having used a $_GET or a $_REQUEST?".
register_globals
I'm surprised you haven't noticed the many discussions of this.
Well, I never use globals. I only use $_SESSION. Also, I always
decipher my variables via $_GET or $_POST, so I never paid much
attention to register_globals. Everyone always said it was a bad thing
to do, and the manual even says that it is dangerous and subject to
injection.
Are you saying by your one word answer that if the url has ?bar=123 that
register_globals will produce a variable named $bar having a value of
'123', but that a test on variable $bar1 will be 'false"? I didn't see
that in the manual (admittedly, I may not have found it).
I just did a google of "register_globals url". It turned up two
threads, this one and one from 2003. It seems my answer is in that
thread. Thanks.
sheldonlg schreef:
I need to do some modifications on some code I just inherited and that
code has me baffled.
On one page, caller.php, with method get there is an anchor with
href="foo.php?bar=123". On foo.php, the URL shows the parameter. So
far, so good.
In foo.php there is no $_GET statement to decipher the value from bar.
Furthermore, I did a grep of the entire code base for $_GET and for
$_REQUEST and there was none. The code then proceeds to test on $bar
and use its value to build an sql statement. (There are other
parameters that could have been put into the URL such as bar1, bar2,
etc. and these are all tested in building the proper sql statement).
This app uses globals. I did a grep of the entire codebase for global
and didn't find bar, bar1, etc.
The question I have is "how could the invoked page get the value of the
url parameters without having used a $_GET or a $_REQUEST?".
Hi Sheldong,
Many possibilities.
My bet is that register_globals could be on, which is bad.
In that case a variable with the name $bar is automagically created from
the GET, POST, etc.
Simply check your php.ini or use phpinfo() to see if register_globals is on.
Also, try this above in your foo.php:
echo "<pre>";
print_r($_SERVER);
echo "</pre>";
You'll probably see QUERY_STRING with a value.
Maybe they use that one?
Regards,
Erwin Moller
--
============================
Erwin Moller
Now dropping all postings from googlegroups.
Why? http://improve-usenet.org/
============================
sheldonlg wrote:
sheldonlg wrote:
>Captain Paralytic wrote:
>>On 28 Aug, 12:33, sheldonlg <sheldonlgwrote:
I need to do some modifications on some code I just inherited and that
code has me baffled.
On one page, caller.php, with method get there is an anchor with
href="foo.php?bar=123". On foo.php, the URL shows the parameter. So
far, so good.
In foo.php there is no $_GET statement to decipher the value from bar.
Furthermore, I did a grep of the entire code base for $_GET and for
$_REQUEST and there was none. The code then proceeds to test on $bar
and use its value to build an sql statement. (There are other
parameters that could have been put into the URL such as bar1, bar2,
etc. and these are all tested in building the proper sql statement).
This app uses globals. I did a grep of the entire codebase for global
and didn't find bar, bar1, etc.
The question I have is "how could the invoked page get the value of the
url parameters without having used a $_GET or a $_REQUEST?".
register_globals
I'm surprised you haven't noticed the many discussions of this.
Well, I never use globals. I only use $_SESSION. Also, I always
decipher my variables via $_GET or $_POST, so I never paid much
attention to register_globals. Everyone always said it was a bad
thing to do, and the manual even says that it is dangerous and subject
to injection.
Are you saying by your one word answer that if the url has ?bar=123
that register_globals will produce a variable named $bar having a
value of '123', but that a test on variable $bar1 will be 'false"? I
didn't see that in the manual (admittedly, I may not have found it).
I just did a google of "register_globals url". It turned up two
threads, this one and one from 2003. It seems my answer is in that
thread. Thanks.
Try just searching this newsgroup on register_globals. You'll get a lot
of hits.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp. js*******@attglobal.net
==================
Jerry Stuckle wrote:
sheldonlg wrote:
>Captain Paralytic wrote:
>>On 28 Aug, 12:33, sheldonlg <sheldonlgwrote:
I need to do some modifications on some code I just inherited and that
code has me baffled.
On one page, caller.php, with method get there is an anchor with
href="foo.php?bar=123". On foo.php, the URL shows the parameter. So
far, so good.
In foo.php there is no $_GET statement to decipher the value from bar.
Furthermore, I did a grep of the entire code base for $_GET and for
$_REQUEST and there was none. The code then proceeds to test on $bar
and use its value to build an sql statement. (There are other
parameters that could have been put into the URL such as bar1, bar2,
etc. and these are all tested in building the proper sql statement).
This app uses globals. I did a grep of the entire codebase for global
and didn't find bar, bar1, etc.
The question I have is "how could the invoked page get the value of the
url parameters without having used a $_GET or a $_REQUEST?".
register_globals
I'm surprised you haven't noticed the many discussions of this.
Well, I never use globals. I only use $_SESSION. Also, I always
decipher my variables via $_GET or $_POST, so I never paid much
attention to register_globals. Everyone always said it was a bad
thing to do, and the manual even says that it is dangerous and subject
to injection.
Are you saying by your one word answer that if the url has ?bar=123
that register_globals will produce a variable named $bar having a
value of '123', but that a test on variable $bar1 will be 'false"? I
didn't see that in the manual (admittedly, I may not have found it).
No, a test in $bar will provide exactly the same result as if you said
$bar=123 and tested.
Jerry, I think you may have misread what I wrote. I said a test of
$bar1, not $bar, would be false. Anyway, I have my answer now thanks to
the Captain. (though I have been programming for forty years, I only
learned PHP about 5 years ago -- after the time when register_globals
was set to off and $_GET was firmly in place.)
On 28 Aug, 13:04, sheldonlg <sheldonlgwrote:
I only
learned PHP about 5 years ago -- after the time when register_globals
was set to off and $_GET was firmly in place
You're joking right?
There are still more servers out there with register_globals on than
there are with it off.
Captain Paralytic wrote:
On 28 Aug, 13:04, sheldonlg <sheldonlgwrote:
>I only
learned PHP about 5 years ago -- after the time when register_globals
was set to off and $_GET was firmly in place
You're joking right?
There are still more servers out there with register_globals on than
there are with it off.
I should have qualified that. I should have said "was set to off by
default". Anyway, all my work has been on just a few servers. On the
two I do work on now, it turns out that both have it set to "on:". On
one of them, I only write new code and I always use $_POST and $_GET.
On the other, the one with the inherited code, I had only previously
written new code and never passed any parameters in the URL (it was an
AJAX framework). That is why in these five years I have never
encountered this problem.
sheldonlg wrote:
Jerry Stuckle wrote:
>sheldonlg wrote:
>>Captain Paralytic wrote:
On 28 Aug, 12:33, sheldonlg <sheldonlgwrote:
I need to do some modifications on some code I just inherited and that
code has me baffled.
>
On one page, caller.php, with method get there is an anchor with
href="foo.php?bar=123". On foo.php, the URL shows the parameter. So
far, so good.
>
In foo.php there is no $_GET statement to decipher the value from bar.
Furthermore, I did a grep of the entire code base for $_GET and for
$_REQUEST and there was none. The code then proceeds to test on $bar
and use its value to build an sql statement. (There are other
parameters that could have been put into the URL such as bar1, bar2,
etc. and these are all tested in building the proper sql statement).
>
This app uses globals. I did a grep of the entire codebase for global
and didn't find bar, bar1, etc.
>
The question I have is "how could the invoked page get the value of
the
url parameters without having used a $_GET or a $_REQUEST?".
register_globals
I'm surprised you haven't noticed the many discussions of this.
Well, I never use globals. I only use $_SESSION. Also, I always
decipher my variables via $_GET or $_POST, so I never paid much
attention to register_globals. Everyone always said it was a bad
thing to do, and the manual even says that it is dangerous and
subject to injection.
Are you saying by your one word answer that if the url has ?bar=123
that register_globals will produce a variable named $bar having a
value of '123', but that a test on variable $bar1 will be 'false"? I
didn't see that in the manual (admittedly, I may not have found it).
No, a test in $bar will provide exactly the same result as if you said
$bar=123 and tested.
Jerry, I think you may have misread what I wrote. I said a test of
$bar1, not $bar, would be false. Anyway, I have my answer now thanks to
the Captain. (though I have been programming for forty years, I only
learned PHP about 5 years ago -- after the time when register_globals
was set to off and $_GET was firmly in place.)
Ah, yes, I did miss that point.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp. js*******@attglobal.net
==================
<comp.lang.php>
<Jerry Stuckle>
<Thu, 28 Aug 2008 09:53:48 -0400>
<g9**********@registered.motzarella.org>
Ah, yes, I did miss that point.
How long do you have left as a mortal - as one assumes you now feel
obliged to commit hari kari .
Will there be live webcam footage of the event ? .
-- www.phpguestbook.co.uk/phpgb
(the best php guestbook on planet earth)
PHPGB schreef:
<comp.lang.php>
<Jerry Stuckle>
<Thu, 28 Aug 2008 09:53:48 -0400>
<g9**********@registered.motzarella.org>
>Ah, yes, I did miss that point.
How long do you have left as a mortal - as one assumes you now feel
obliged to commit hari kari .
Will there be live webcam footage of the event ? .
Why are you behaving so agressive PHPGB?
Jerry says he made a mistake, and you ask him to commit suicide over it?
What is wrong with you?
Erwin Moller
--
============================
Erwin Moller
Now dropping all postings from googlegroups.
Why? http://improve-usenet.org/
============================
Message-ID: <48*********************@news.xs4all.nlfrom Erwin Moller
contained the following:
>
>Will there be live webcam footage of the event ? .
Why are you behaving so agressive PHPGB?
I object to him being PHPGB . I should be the only PHPGB round here.
--
Geoff Berrow 0110001001101100010000000110
001101101011011001000110111101100111001011
100110001101101111001011100111010101101011 http://slipperyhill.co.uk - http://4theweb.co.uk
On Thu, 28 Aug 2008 16:24:19 +0200, Erwin Moller
<Si******************************************@spam yourself.comwrote:
>
PHPGB schreef:
><comp.lang.php>
<Jerry Stuckle>
<Thu, 28 Aug 2008 09:53:48 -0400>
<g9**********@registered.motzarella.org>
>>Ah, yes, I did miss that point.
How long do you have left as a mortal - as one assumes you now feel
obliged to commit hari kari .
Will there be live webcam footage of the event ? .
Why are you behaving so agressive PHPGB?
PHPGB = Krusty
What do you expect?
--
Regards, Paul Herber, Sandrila Ltd. http://www.sandrila.co.uk/ http://www.pherber.com/
<comp.lang.php>
<Erwin Moller>
<Thu, 28 Aug 2008 18:05:04 +0200>
<48*********************@news.xs4all.nl>
In your case: You probably hitted the roof of your ability building a
guestbook in PHP
Is that a insult ? .
I thought you where against such things being posted to CLP .
-- www.phpguestbook.co.uk/phpgb
(the best php guestbook on planet earth)
Erwin Moller wrote:
>
sheldonlg schreef:
>I need to do some modifications on some code I just inherited and that
code has me baffled.
On one page, caller.php, with method get there is an anchor with
href="foo.php?bar=123". On foo.php, the URL shows the parameter. So
far, so good.
In foo.php there is no $_GET statement to decipher the value from bar.
Furthermore, I did a grep of the entire code base for $_GET and for
$_REQUEST and there was none. The code then proceeds to test on $bar
and use its value to build an sql statement. (There are other
parameters that could have been put into the URL such as bar1, bar2,
etc. and these are all tested in building the proper sql statement).
This app uses globals. I did a grep of the entire codebase for global
and didn't find bar, bar1, etc.
The question I have is "how could the invoked page get the value of
the url parameters without having used a $_GET or a $_REQUEST?".
Hi Sheldong,
Many possibilities.
My bet is that register_globals could be on, which is bad.
Being a newbie, I was unfamiliar with that.
My first reaction to learning of this was that this could create some
real problems as it could step on your own variables and that could be
done just by someone adding onto the query string. Am I wrong here?
Is this a commonly set configuration? Sounds like the same genius who
thought up addslashes.
Jeff
In that case a variable with the name $bar is automagically created from
the GET, POST, etc.
Simply check your php.ini or use phpinfo() to see if register_globals is
on.
Also, try this above in your foo.php:
echo "<pre>";
print_r($_SERVER);
echo "</pre>";
You'll probably see QUERY_STRING with a value.
Maybe they use that one?
Regards,
Erwin Moller
Jeff wrote:
Erwin Moller wrote:
>>
sheldonlg schreef:
>>I need to do some modifications on some code I just inherited and
that code has me baffled.
On one page, caller.php, with method get there is an anchor with
href="foo.php?bar=123". On foo.php, the URL shows the parameter. So
far, so good.
In foo.php there is no $_GET statement to decipher the value from
bar. Furthermore, I did a grep of the entire code base for $_GET and
for $_REQUEST and there was none. The code then proceeds to test on
$bar and use its value to build an sql statement. (There are other
parameters that could have been put into the URL such as bar1, bar2,
etc. and these are all tested in building the proper sql statement).
This app uses globals. I did a grep of the entire codebase for
global and didn't find bar, bar1, etc.
The question I have is "how could the invoked page get the value of
the url parameters without having used a $_GET or a $_REQUEST?".
Hi Sheldong,
Many possibilities.
My bet is that register_globals could be on, which is bad.
Being a newbie, I was unfamiliar with that.
My first reaction to learning of this was that this could create some
real problems as it could step on your own variables and that could be
done just by someone adding onto the query string. Am I wrong here?
Is this a commonly set configuration? Sounds like the same genius who
thought up addslashes.
Jeff
>In that case a variable with the name $bar is automagically created
from the GET, POST, etc.
Simply check your php.ini or use phpinfo() to see if register_globals
is on.
Also, try this above in your foo.php:
echo "<pre>";
print_r($_SERVER);
echo "</pre>";
You'll probably see QUERY_STRING with a value.
Maybe they use that one?
Regards,
Erwin Moller
It's not a common configuration any more, but it used to be the default
for PHP (back in the 4.0 and before days).
And yes, it can be a problem. However, if you always initialize your
variables before you use them, it's not as much of a problem.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp. js*******@attglobal.net
================== This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: Thomas Carcaud |
last post by:
I read php manual many times but I can't figure out register_globals
works. I m using Php 4.3.2 and register_globals on. It seems to have
different effects on $_GET and $_SESSION. First with $_GET...
|
by: carramba |
last post by:
Hi!
Tahnx for taking time and reading!
This script should load default page and default stylesheet, but its
only loads default page, you have to actualy click on the style link
to load style......
|
by: Dan |
last post by:
I was trying to troubleshoot a login page that doesn't work - it keeps
saying the login/password is missing - when my tracing discovered this
peculiar behavior.
register_globals is off, so at...
|
by: Nuno Paquete |
last post by:
Hi group.
I'm using this code to see if is there any parameter for variable "menu":
if($_GET == "downloads")
....
But this code log errors if there is no parameter passed (this heappens at...
|
by: meltedown |
last post by:
urlencode turns # into %23
When I sent it thru $_GET, it dissapears, along with anything that comes
after it.
for example:
urlencode turns
HOYDM_EXC_#4_NAT
into HOYDM_EXC_%234_NAT
When I...
| | |
by: Georg Weiler |
last post by:
Hi,
I'm biting my nails on this for several days now, hope that someone of
you can help me...:
On my page, the user can display tables, created out of a database. So I
have several <a href>...
|
by: wouter |
last post by:
hey hi.....
I wanna make a switch wich does this:
if pagid is set do A,
if catid is set do B,
if projectid is set do C,
else do D.
So i was thinking something like this:
|
by: keeps21 |
last post by:
I have a script that recieves an id number via the address bar when a link is clicked.
ie . index.php?id=1 if the link was for the story whose ID is 1.
My script checks if a user is logged in,...
|
by: printline |
last post by:
Hello
I have a problem which i hope someone can help me with. I have a website where customers can login and their current and previous orders.
What i need now is for the customers to look...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
| | |
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The...
| | |
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| |
