Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie

Turning off Global variables in PHP

Options
  • 08-04-2005 1:24pm
    #1
    WhatsGoingOn
    Closed Accounts Posts: 334 ✭✭


    Hi,

    I need to switch off Global variables in my PHP code and use $_REQUEST

    Can anyone tell me how to rewrite the following code with global variables off please?

    if($searchresult == "Car") {$res1 = "Car";}
    if($searchresult == "Van") {$res1 = "Van";}
    .
    .
    .
    .
    .
    $result = mysql_query("SELECT * FROM entries WHERE entries.$var1 LIKE '$var2' ORDER BY Vehicle ",$datab);

    Thanks.


Comments

  • Options
    #2
    daymobrew
    Registered Users Posts: 6,508 ✭✭✭daymobrew


    According to http://www.php.net/manual/en/ini.core.php#ini.register-globals you cannot switch globals off at runtime (with the ini_set function), so I believe that you'll have to modify php.ini to set: 
    register_globals = off
    http://www.php.net/manual/en/security.globals.php
    the default value for the PHP directive register_globals went from ON to OFF in PHP 4.2.0.
    It may already be off.


  • Options
    #3
    WhatsGoingOn
    Closed Accounts Posts: 334 ✭✭WhatsGoingOn


    daymobrew wrote:
    According to http://www.php.net/manual/en/ini.core.php#ini.register-globals you cannot switch globals off at runtime (with the ini_set function), so I believe that you'll have to modify php.ini to set: 
    register_globals = off
    http://www.php.net/manual/en/security.globals.php
    It may already be off.
    Thanks for the reply.
    The problem is that the code I wrote works fine on my local server, where the globals are on. However my hosting company have the register globals switched off, so my code doesn't work up there. So I need to update my code above to work on a server that has global variables switched off.

    Cheers.


  • Options
    #4
    daymobrew
    Registered Users Posts: 6,508 ✭✭✭daymobrew


    Can anyone tell me how to rewrite the following code with global variables off please?
    I am assuming that $searchresult is the global variable. I also assume that 'searchrequest' is a field in the form submitted to the php script.
    Can it simply be changed to: $_REQUEST ?

    Have you turned off globals on your home system? If not, do it.
    Also a good idea to set full error reporting:
    ini_set('error_reporting', E_ALL);
    This will report the use of uninitialised variables, like $searchresult (if that is a global variable).

    If I'm way off the mark, try a simple form (e.g. one item in it) and script and get it working with globals off.


  • Options
    #5
    rsynnott
    Registered Users Posts: 4,003 ✭✭✭rsynnott


    WhatsGoingOn wrote:
    Hi,

    I need to switch off Global variables in my PHP code and use $_REQUEST

    Can anyone tell me how to rewrite the following code with global variables off please?

    if($searchresult == "Car") {$res1 = "Car";}
    if($searchresult == "Van") {$res1 = "Van";}
    .
    .
    .
    .
    .
    $result = mysql_query("SELECT * FROM entries WHERE entries.$var1 LIKE '$var2' ORDER BY Vehicle ",$datab);

    Thanks.

    $_REQUEST;

    Careful with that query, btw; are $var1 and $var2 HTTP parameters? If so, you risk your user doing something unspeakably horrible


  • Options
    #6
    WhatsGoingOn
    Closed Accounts Posts: 334 ✭✭WhatsGoingOn


    rsynnott wrote:
    $_REQUEST;

    Careful with that query, btw; are $var1 and $var2 HTTP parameters? If so, you risk your user doing something unspeakably horrible


    Thanks for the replies guys.
    I tried $_REQUEST;,but got errors, I'll try again.

    For the query, what horrible things could the user do?

    And also, If I am to use that query, should it become
    $result = mysql_query("SELECT * FROM entries WHERE entries.$_REQUEST LIKE '$_REQUEST' ORDER BY Vehicle ",$datab);

    I also had problems with this, possibly to do with the quotes...


  • Advertisement
  • Options
    #7
    rsynnott
    Registered Users Posts: 4,003 ✭✭✭rsynnott


    WhatsGoingOn wrote:
    Thanks for the replies guys.
    I tried $_REQUEST;,but got errors, I'll try again.

    For the query, what horrible things could the user do?

    And also, If I am to use that query, should it become
    $result = mysql_query("SELECT * FROM entries WHERE entries.$_REQUEST LIKE '$_REQUEST' ORDER BY Vehicle ",$datab);

    I also had problems with this, possibly to do with the quotes...

    The user could give as input in a form something like: ';DROP TABLE...

    What you should do is something like:
    $var1=addslashes($_REQUEST);

    That escapes the dangerous characters (quotes).


  • Options
    #8
    WhatsGoingOn
    Closed Accounts Posts: 334 ✭✭WhatsGoingOn


    rsynnott wrote:
    The user could give as input in a form something like: ';DROP TABLE...

    What you should do is something like:
    $var1=addslashes($_REQUEST);

    That escapes the dangerous characters (quotes).

    OK, I'll try that, thanks again


Advertisement