Advertisement
Help Keep Boards Alive. Support us by going ad free today. See here: https://subscriptions.boards.ie/.
If we do not hit our goal we will be forced to close the site.

Current status: https://keepboardsalive.com/

Annual subs are best for most impact. If you are still undecided on going Ad Free - you can also donate using the Paypal Donate option. All contribution helps. Thank you.
https://www.boards.ie/group/1878-subscribers-forum

Private Group for paid up members of Boards.ie. Join the club.

Turning off Global variables in PHP

  • 08-04-2005 01:24PM
    #1
    WhatsGoingOn
    Closed Accounts Posts: 334 ✭✭


    Hi,

    I need to switch off Global variables in my PHP code and use $_REQUEST

    Can anyone tell me how to rewrite the following code with global variables off please?

    if($searchresult == "Car") {$res1 = "Car";}
    if($searchresult == "Van") {$res1 = "Van";}
    .
    .
    .
    .
    .
    $result = mysql_query("SELECT * FROM entries WHERE entries.$var1 LIKE '$var2' ORDER BY Vehicle ",$datab);

    Thanks.


Comments

  • #2
    daymobrew
    Registered Users, Registered Users 2 Posts: 6,652 ✭✭✭daymobrew


    According to http://www.php.net/manual/en/ini.core.php#ini.register-globals you cannot switch globals off at runtime (with the ini_set function), so I believe that you'll have to modify php.ini to set: 
    register_globals = off
    http://www.php.net/manual/en/security.globals.php
    the default value for the PHP directive register_globals went from ON to OFF in PHP 4.2.0.
    It may already be off.


  • #3
    WhatsGoingOn
    Closed Accounts Posts: 334 ✭✭WhatsGoingOn


    daymobrew wrote:
    According to http://www.php.net/manual/en/ini.core.php#ini.register-globals you cannot switch globals off at runtime (with the ini_set function), so I believe that you'll have to modify php.ini to set: 
    register_globals = off
    http://www.php.net/manual/en/security.globals.php
    It may already be off.
    Thanks for the reply.
    The problem is that the code I wrote works fine on my local server, where the globals are on. However my hosting company have the register globals switched off, so my code doesn't work up there. So I need to update my code above to work on a server that has global variables switched off.

    Cheers.


  • #4
    daymobrew
    Registered Users, Registered Users 2 Posts: 6,652 ✭✭✭daymobrew


    Can anyone tell me how to rewrite the following code with global variables off please?
    I am assuming that $searchresult is the global variable. I also assume that 'searchrequest' is a field in the form submitted to the php script.
    Can it simply be changed to: $_REQUEST ?

    Have you turned off globals on your home system? If not, do it.
    Also a good idea to set full error reporting:
    ini_set('error_reporting', E_ALL);
    This will report the use of uninitialised variables, like $searchresult (if that is a global variable).

    If I'm way off the mark, try a simple form (e.g. one item in it) and script and get it working with globals off.


  • #5
    rsynnott
    Registered Users, Registered Users 2 Posts: 4,003 ✭✭✭rsynnott


    WhatsGoingOn wrote:
    Hi,

    I need to switch off Global variables in my PHP code and use $_REQUEST

    Can anyone tell me how to rewrite the following code with global variables off please?

    if($searchresult == "Car") {$res1 = "Car";}
    if($searchresult == "Van") {$res1 = "Van";}
    .
    .
    .
    .
    .
    $result = mysql_query("SELECT * FROM entries WHERE entries.$var1 LIKE '$var2' ORDER BY Vehicle ",$datab);

    Thanks.

    $_REQUEST;

    Careful with that query, btw; are $var1 and $var2 HTTP parameters? If so, you risk your user doing something unspeakably horrible


  • #6
    WhatsGoingOn
    Closed Accounts Posts: 334 ✭✭WhatsGoingOn


    rsynnott wrote:
    $_REQUEST;

    Careful with that query, btw; are $var1 and $var2 HTTP parameters? If so, you risk your user doing something unspeakably horrible


    Thanks for the replies guys.
    I tried $_REQUEST;,but got errors, I'll try again.

    For the query, what horrible things could the user do?

    And also, If I am to use that query, should it become
    $result = mysql_query("SELECT * FROM entries WHERE entries.$_REQUEST LIKE '$_REQUEST' ORDER BY Vehicle ",$datab);

    I also had problems with this, possibly to do with the quotes...


  • Advertisement
  • #7
    rsynnott
    Registered Users, Registered Users 2 Posts: 4,003 ✭✭✭rsynnott


    WhatsGoingOn wrote:
    Thanks for the replies guys.
    I tried $_REQUEST;,but got errors, I'll try again.

    For the query, what horrible things could the user do?

    And also, If I am to use that query, should it become
    $result = mysql_query("SELECT * FROM entries WHERE entries.$_REQUEST LIKE '$_REQUEST' ORDER BY Vehicle ",$datab);

    I also had problems with this, possibly to do with the quotes...

    The user could give as input in a form something like: ';DROP TABLE...

    What you should do is something like:
    $var1=addslashes($_REQUEST);

    That escapes the dangerous characters (quotes).


  • #8
    WhatsGoingOn
    Closed Accounts Posts: 334 ✭✭WhatsGoingOn


    rsynnott wrote:
    The user could give as input in a form something like: ';DROP TABLE...

    What you should do is something like:
    $var1=addslashes($_REQUEST);

    That escapes the dangerous characters (quotes).

    OK, I'll try that, thanks again


Advertisement