Tags:





Advertise here: Contact FM.


register_global and header
October 23, 2005 3:31 AM   RSS feed for this thread Subscribe

How would the register_global security upgrade screw up a header re-direct?

I had an old script running on a host that just recently switched register_global from ON to OFF. My PHP skills aren't perfect, but I figured I could just make a list of the variables the script needed and used _GET and _POST to get what I needed.

Everything seems to be working, except for the redirects.

For redirecting, the script uses variations on this:
header("Location: $PHP_SELF");

So I added this:
$PHP_SELF=$_SERVER[PHP_SELF];

When I echo $PHP_SELF, it gives what seems like a reasonable value: "/dir/filename.php "

What have I overlooked?
posted by RobotHero to computers & internet (7 comments total)
Not sure about register globals stuff (never used globals, myself) but are you sure it's not $_SERVER['PHP_SELF'];
posted by handee at 3:37 AM on October 23, 2005


Or maybe $PHP_SELF is some sort of reserved variable name. Why not use the server variable directly? My code is full of stuff like

header ("Location: {$_SERVER['HTTP_REFERER']}");

which works OK
posted by handee at 3:41 AM on October 23, 2005


Possibly try extracting the variables into the global namespace. :-)
posted by PuGZ at 5:04 AM on October 23, 2005


Some more-or-less-useful comments:

This isn't your immediate problem, but Location: redirects should be absolute paths, not relative (RFC 2616).

handee is correct, BTW - PHP_SELF would be a define()d constant, while 'PHP_SELF' would be a string. PHP with warnings cranked down silently promotes an unknown constant to a string literal, but it's very bad practice to rely on this.

As we now know you've got error levels turned down, I suggest you set error_reporting() to E_ALL and see if there are any other errors that you're missing.

Again this doesn't help your immediate problem, but it would also be good practice to check whether $_SERVER['PHP_SELF'] exists before attempting to use it:

$PHP_SELF = isset ($_SERVER['PHP_SELF']) ? $_SERVER['PHP_SELF'] : NULL;

$PHP_SELF isn't a reserved word... my first guess would be that you're overwriting it later on in the script... maybe with a variation on the classic

if ($PHP_SELF = FALSE)

Try checking the value of $PHP_SELF when it's used rather than when it's created, by replacing header() with echo(), so you can see the Location: header on-screen.

Finally, the Firefox plugin Live HTTP Headers is an invaluable tool for tracking down HTTP oddities.

If none of this helps, reduce your script to a minimal non-working test case and post it either here or (more usefully) the PHP mailing list.
posted by Leon at 5:31 AM on October 23, 2005


You know that if you use echo before header(), the header command won't work? If you have warnings turned off, you might not see this.
posted by cillit bang at 5:45 AM on October 23, 2005


$_SERVER['PHP_SELF'] only gives the relative location; IIRC you need to use the full URL. Try
header("Location: http://" . $_SERVER['SERVER_NAME'] . $_SERVER['PHP_SELF']);
exit;
posted by revgeorge at 7:08 AM on October 23, 2005


revgeorge is correct, usually you need SERVER_NAME and PHP_SELF both in order to get a URL valid for use in the Location header. Certainly it's more "correct" and less prone to odd issues, so it's good practice anyways.

/glad he's since dropped PHP for Python, especially the Django framework :D
posted by cyrusdogstar at 7:49 AM on October 23, 2005


« Older ok heres a toughie, im 24, whe...   |   There a stupid bug in Win XP, ... Newer »
This thread is closed to new comments.


Related Questions
Acrobat Professional Sux May 21, 2008
Formatting Margins in MS Word 2007 March 24, 2008
How to remove Sender header ("on behalf of") when... February 14, 2008
Help me print "clean" Outlook messages. November 13, 2006
Rejecting bogus "mail returned" email July 28, 2004