Php / MySql Question
December 9, 2004 5:55 PM   Subscribe

Php / MySql question. [MI]

I've written a lot of php and mysql stuff, but I'm baffled by this.

For some reason, I can't pass variables using this method:
bah.php?name=bob

The page i pass it to is not able to recognize the variable. The code is correct, I know this. Is there something I don't know about PHP Version 4.3.9?
posted by Scottk to Computers & Internet (14 answers total)
 
Have you checked to see if register_globals is OFF on your webserver?
posted by gramcracker at 6:01 PM on December 9, 2004


Are you using $_GET["name"] to access the variable? If register_globals is off, this is the way to get to it.
posted by PantsOfSCIENCE at 6:02 PM on December 9, 2004


Response by poster: It is off. Good or bad?
posted by Scottk at 6:02 PM on December 9, 2004


Off is good. Very good. Having register_globals on creates security problems and leads to sloppy code.
posted by PantsOfSCIENCE at 6:04 PM on December 9, 2004


The PHP.net manual's variables section covers predefined vars.
posted by PantsOfSCIENCE at 6:06 PM on December 9, 2004


Heh. Yes, you need to use Pants's GET code. Simply declaring $name won't work with register_globals off.
posted by gramcracker at 6:07 PM on December 9, 2004


Response by poster: Thank you, gram.
Thank you, Pants.

I owe you all.
posted by Scottk at 6:08 PM on December 9, 2004


Let me reiterate again that having register_globals off is, like, *necessary*. Having register_globals on is the biggest security hole evar.
posted by SpecialK at 6:13 PM on December 9, 2004


If you have a legacy of POSTed variables being referenced without $_POST, you can test for people screwing around on the address line with if($HTTP_SERVER_VARS["argc"] != 0). Tack on a ?foo=bar here and you get your session killed and your browser redirected to our corporate homepage.
posted by krisjohn at 8:14 PM on December 9, 2004


Take this as a sign that it's time to move to dealing with external variables properly. I put it off for years (seriously, years) until one of my clients' hosts required that register_globals be off. That gave me the kick in the pants necessary to change my ways.
posted by waldo at 9:20 PM on December 9, 2004


Yeah, external variables are bad. Don't pass them into a program without checking their type or otherwise doing a conversion on them.

Especially with login variables and anything that's accessible without login. For instance, I know that a login and/or password will never have a space in it in my system, and I test for that. It emails me if there's a failure with the strings and host information, and it's prevented at least four attacks in the past month.
posted by SpecialK at 11:06 PM on December 9, 2004


Damn it. Register_globals is not a security hole. Sloppy coders are a security hole.

(Scott, try this to pull in values at the top of your scripts:

$var = isset ($_REQUEST['var']) ? $_REQUEST['var'] : FALSE;
posted by Leon at 6:31 AM on December 10, 2004


Tack on a ?foo=bar here and you get your session killed and your browser redirected to our corporate homepage.

???
if (i have no idea what this is referring to) { should i not consider myself a php programmer? }
posted by danOstuporStar at 6:58 AM on December 10, 2004


oohhh....here... meaning his employer's website. (my apologies.)
posted by danOstuporStar at 7:01 AM on December 10, 2004


« Older Origin of the phrase "parts is parts"   |   Should I be worried about verifying with PayPal? Newer »
This thread is closed to new comments.


Tags

Share