register_global and header
October 23, 2005 3:31 AM Subscribe
How would the register_global security upgrade screw up a header re-direct?
I had an old script running on a host that just recently switched register_global from ON to OFF. My PHP skills aren't perfect, but I figured I could just make a list of the variables the script needed and used _GET and _POST to get what I needed.
Everything seems to be working, except for the redirects.
For redirecting, the script uses variations on this:
header("Location: $PHP_SELF");
So I added this:
$PHP_SELF=$_SERVER[PHP_SELF];
When I echo $PHP_SELF, it gives what seems like a reasonable value: "/dir/filename.php "
What have I overlooked?
I had an old script running on a host that just recently switched register_global from ON to OFF. My PHP skills aren't perfect, but I figured I could just make a list of the variables the script needed and used _GET and _POST to get what I needed.
Everything seems to be working, except for the redirects.
For redirecting, the script uses variations on this:
header("Location: $PHP_SELF");
So I added this:
$PHP_SELF=$_SERVER[PHP_SELF];
When I echo $PHP_SELF, it gives what seems like a reasonable value: "/dir/filename.php "
What have I overlooked?
Or maybe $PHP_SELF is some sort of reserved variable name. Why not use the server variable directly? My code is full of stuff like
header ("Location: {$_SERVER['HTTP_REFERER']}");
which works OK
posted by handee at 3:41 AM on October 23, 2005
header ("Location: {$_SERVER['HTTP_REFERER']}");
which works OK
posted by handee at 3:41 AM on October 23, 2005
Possibly try extracting the variables into the global namespace. :-)
posted by PuGZ at 5:04 AM on October 23, 2005
posted by PuGZ at 5:04 AM on October 23, 2005
Some more-or-less-useful comments:
This isn't your immediate problem, but Location: redirects should be absolute paths, not relative (RFC 2616).
handee is correct, BTW - PHP_SELF would be a define()d constant, while 'PHP_SELF' would be a string. PHP with warnings cranked down silently promotes an unknown constant to a string literal, but it's very bad practice to rely on this.
As we now know you've got error levels turned down, I suggest you set error_reporting() to E_ALL and see if there are any other errors that you're missing.
Again this doesn't help your immediate problem, but it would also be good practice to check whether $_SERVER['PHP_SELF'] exists before attempting to use it:
$PHP_SELF = isset ($_SERVER['PHP_SELF']) ? $_SERVER['PHP_SELF'] : NULL;
$PHP_SELF isn't a reserved word... my first guess would be that you're overwriting it later on in the script... maybe with a variation on the classic
if ($PHP_SELF = FALSE)
Try checking the value of $PHP_SELF when it's used rather than when it's created, by replacing header() with echo(), so you can see the Location: header on-screen.
Finally, the Firefox plugin Live HTTP Headers is an invaluable tool for tracking down HTTP oddities.
If none of this helps, reduce your script to a minimal non-working test case and post it either here or (more usefully) the PHP mailing list.
posted by Leon at 5:31 AM on October 23, 2005
This isn't your immediate problem, but Location: redirects should be absolute paths, not relative (RFC 2616).
handee is correct, BTW - PHP_SELF would be a define()d constant, while 'PHP_SELF' would be a string. PHP with warnings cranked down silently promotes an unknown constant to a string literal, but it's very bad practice to rely on this.
As we now know you've got error levels turned down, I suggest you set error_reporting() to E_ALL and see if there are any other errors that you're missing.
Again this doesn't help your immediate problem, but it would also be good practice to check whether $_SERVER['PHP_SELF'] exists before attempting to use it:
$PHP_SELF = isset ($_SERVER['PHP_SELF']) ? $_SERVER['PHP_SELF'] : NULL;
$PHP_SELF isn't a reserved word... my first guess would be that you're overwriting it later on in the script... maybe with a variation on the classic
if ($PHP_SELF = FALSE)
Try checking the value of $PHP_SELF when it's used rather than when it's created, by replacing header() with echo(), so you can see the Location: header on-screen.
Finally, the Firefox plugin Live HTTP Headers is an invaluable tool for tracking down HTTP oddities.
If none of this helps, reduce your script to a minimal non-working test case and post it either here or (more usefully) the PHP mailing list.
posted by Leon at 5:31 AM on October 23, 2005
You know that if you use echo before header(), the header command won't work? If you have warnings turned off, you might not see this.
posted by cillit bang at 5:45 AM on October 23, 2005
posted by cillit bang at 5:45 AM on October 23, 2005
$_SERVER['PHP_SELF'] only gives the relative location; IIRC you need to use the full URL. Try
posted by revgeorge at 7:08 AM on October 23, 2005
header("Location: http://" . $_SERVER['SERVER_NAME'] . $_SERVER['PHP_SELF']);
exit;posted by revgeorge at 7:08 AM on October 23, 2005
revgeorge is correct, usually you need SERVER_NAME and PHP_SELF both in order to get a URL valid for use in the Location header. Certainly it's more "correct" and less prone to odd issues, so it's good practice anyways.
/glad he's since dropped PHP for Python, especially the Django framework :D
posted by cyrusdogstar at 7:49 AM on October 23, 2005
/glad he's since dropped PHP for Python, especially the Django framework :D
posted by cyrusdogstar at 7:49 AM on October 23, 2005
This thread is closed to new comments.
posted by handee at 3:37 AM on October 23, 2005