Register Globals Off Help

SP8600

Hi, i want to start using register globals off now but dont know how to code my scripts in that way because i have always had them set on, so do any of you know were i can get some online help on this.

theeper

http://www.php.net/manual/en/language.variables.external.php

SP8600

How would i use this with register globals off though:

if (!isset ($id) || empty($id)) {echo("<script language=\"Javascript\">window.location=\"$url\?id=1&action=default\"</script>");};

hand

Either you turn register_globals to on
or you insert one of these tricky codes at the beginning of your scripts.

$order = getenv('variables_order');
$name = array (
  'E' => '_ENV',
  'G' => '_GET',
  'P' => '_POST',
  'C' => '_COOKIE',
  'S' => '_SERVER'
);
for ($i=0; $i<strlen($order); $i++)
{
  $nn = $name[substr($order,$i,1)];
  foreach ($$nn as $k=>$v)
    $$k = $v;
}

if (!empty($_GET))                   { extract($_GET); }
    else if (!empty($HTTP_GET_VARS))     { extract($HTTP_GET_VARS); }

if (!empty($_POST))                  { extract($_POST); }
else if (!empty($HTTP_POST_VARS))    { extract($HTTP_POST_VARS); }

if (!empty($_COOKIE))                { extract($_COOKIE); }
else if (!empty($HTTP_COOKIE_VARS))  { extract($HTTP_COOKIE_VARS); }

if (!empty($_ENV))                   { extract($_ENV); }
else if (!empty($HTTP_ENV_VARS))     { extract($HTTP_ENV_VARS); }

if (!empty($_SERVER))                { extract($_SERVER); }
else if (!empty($HTTP_SERVER_VARS))  { extract($HTTP_SERVER_VARS); }

if (!empty($_SESSION))               { extract($_SESSION); }
else if (!empty($HTTP_SESSION_VARS)) { extract($HTTP_SESSION_VARS); }

if (!empty($_FILES)) {
    while (list($name, $value) = each($_FILES)) {
        $$name = $value['tmp_name'];
    }
} else if (!empty($HTTP_POST_FILES)) {
    while (list($name, $value) = each($HTTP_POST_FILES)) {
        $$name = $value['tmp_name'];
    }
} // end if

SP8600

swr

You need to access your form/cookie variables through $GET, $POST, and $_COOKIE arrays.

So if your URL is like this:
whatever.php?foo=qwerty&bar=asdf

Previously, with register_globals on, doing this:
echo $foo."<br>".$bar;

Should now be this:
echo $GET['foo']."<br>".$GET['bar'];

Both of which will output:

qwerty
asdf

If it is a POST form instead of a GET form, use $POST[] instead of $GET[]. Likewise, use $_COOKIE[] for variables set in cookies.

The reason it is better to have register_globals off is because if you have something like:
if ($logged_in) do_something();
someone might use a URL like http://www.example.com/whatever.php?logged_in=1
and possibly bypass your check, if register_globals is on.
In general, it is bad (from a security standpoint) to give the end user so much control over the internal state of your program as register_globals does.

Note that in older versions of PHP (before 4.1.0 I think) you need to use $HTTP_GET_VARS[] $HTTP_POST_VARS[] and $HTTP_COOKIE_VARS[] instead of $GET[] $POST[] $_COOKIE.

SP8600

Thanks loads i understand it now, simple when you know how really, however i dont know how to do that in MySQL querys. So how would i use _GET in this for the ID:

$page_sqlquery = "SELECT * FROM pages WHERE id = 'id'";

hand

$id = $_GET['id'];
$page_sqlquery = "SELECT * FROM pages WHERE id = '$id'";
// or 
$page_sqlquery = "SELECT * FROM pages WHERE id = '$_GET[id]'";

swr

Originally posted by hand

$id = $_GET['id'];
$page_sqlquery = "SELECT * FROM pages WHERE id = '$id'";
// or 
$page_sqlquery = "SELECT * FROM pages WHERE id = '$_GET[id]'";

[/B]

I hope you have magic_quotes_gpc on. If not, you've just allowed anyone on the internet full access to your database.

For example, someone could hit that page with a URL like this:

http://www.example.com/yourpage.php?id=x';%20delete%20from%20pages%20where%20'x'%20=%20'x

All of a sudden, your SQL now looks like this:
SELECT * FROM pages WHERE id = 'x'; delete from pages where 'x' = 'x'

(That example probably won't work, as I think the mysql query functions limit it to one statement. Still, a more creative person than I could do some bad things by manipulating your select statement.)

In my opinion, it is better to have magic_quotes_gpc off, and remember to properly sanitize your input:

$id = mysql_escape_string($_GET['id']);
$page_sqlquery = "SELECT * FROM pages WHERE id = '$id'";