REGISTER_GLOBALS off ... means?

vaska

i'm having two problems...i hope they are related...

1 - my SESSIONS just ain't work...i can't login...

2 - i can't get my forms to add to the db...

BUT..."register_globals" is OFF...will it help if this is turned on? i sure hope so...

thanks...jv

ereptur

Register Globals acts as a security authenticator.
When you submit a form via post, to access the variables, you must access them through $POST.
I.E. $action = $POST["action"];
This makes it so that if someone trys to pass $action through the url it will fail because PHP is only looking for it in $POST.
If you need to be able to access it from a variety of places or you just don't care that much about security you can either turn on Register Globals or you can just use $REQUEST to get the value no matter how it was submitted.
Since the latter method is the one that the developers of PHP intend to endorse, you may just want to get used to doing it that way.

vaska

so...now i'm confused...

i don't use "post" now i use "request" when i'm using a form from a webpage? it's just a stupid simple form...

i understand what you are saying about not using register_globals on...but i'm just learning how to do things and this throws me for a real loop now...i'm not sure i know how to work with that in mind...

?...jv

ereptur

ok, you used to be able to use a variable immediately if it was supplied to the script via POST, GET, COOKIE, or SESSION.

Now, with the default settings in PHP you must tell the script how the value was submitted.

Most forms use POST so you would use $POST["variablename"] to get the value. If you need to be able to get the value from POST and GET or any other combination then you need to use $REQUEST["variablename"].

It's a matter of security. What if you wrote a shopping script and my total was passed from page to page using a hidden form element. Then I figured this out and put a ?total=0 on the url line on the next page. PHP would have two variables called total and would choose one over the other. If it chose my 0, then I get my purchase for free!

The Register Globals off ensures that I can't do that, because you are telling PHP to only get the total value from the $_POST. The value that I passed through the URL would simply be thrown away.

Again, it's really only a matter of security. If security is not a big deal, go ahead and turn Register Globals back on, but if you upgrade to a newer version of PHP in the future, you are going to have to remember to go back into your php.ini file each time and turn Register Globals back on since the PHP group will only endorse the newer method.

In order to keep from having to turn Register Globals on each time you upgrade PHP, you could just write your code with nothing but $_REQUEST to access the variables. Then it doesn't matter how the value was passed to the script. It will always retrieve it.

vaska

huh? as i said...it's just a stupid form...where in the heck would i use $_request?

i don't understand how you mean i should use it...this isn't even php i'm talking about now (i guess i should just drop it then)...

my form code...the ONLY place it says "POST"...

<FORM NAME="theForm" METHOD="post" ACTION="" on...

example of code used to send out an automatic notification that their message was sent...

First name: $name
Last name: $surname
Email: $email

change these to $_request['name'] etc...?

but i'm still not clear...so...by having REGISTER_GLOBALS OFF...my form WILL NOT enter the data into the database? (it's already working on a different server which has them turned ON)...

i'm royally confused and could be totally screwed with a project i've been working on now...yikes...

thanks...jv

ereptur

ok, here we go...

somepage.html

<form method="post" action="somescript.php">
<input type="text" name="fname" />
<input type="text" name="lname" />
<input type="submit" />
</form>

somepage2.php

$fname = $_POST["fname"];
$lname = $_POST["lname"];

somepage2.2.php

$fname = $_REQUEST["fname"];
$lname = $_REQUEST["lname"];

vaska

reiterated...

but i'm still not clear...so...by having REGISTER_GLOBALS OFF...my form WILL NOT enter the data into the database? (it's already working on a different server which has them turned ON)...

cgraz

Read this: http://www.php.net/manual/en/security.registerglobals.php

and the predefined variables for use when register globals is off: http://www.php.net/manual/en/reserved.variables.php

but i'm still not clear...so...by having REGISTER_GLOBALS OFF...my form WILL NOT enter the data into the database?

No, or else, PHP wouldn't set register globals to off by default. If you have a form:


$query = mysql_query("INSERT INTO your_table (name, email) VALUES('$name', '$email')");

That would insert blank values into the database, and if you had a WHERE clause using a variable, the update wouldn't even work because that variable would have no value. But, the above code would work if register globals was turned on. Here's how you would have to write the above code if your method was set to post on your form, and register globals was off:


$query = mysql_query("INSERT INTO your_table (name, email) VALUES('" . $_POST['name'] . "', '" . $_POST['email'] . "')");

Notice the use of $_POST.

If you had a variable in the url and wanted to get the value in your script


// with register globals on
echo $var;

// with register globals off
echo $_GET['var'];

Notice the use of $_GET (since the variable is in the URL, you can't use $_POST. Look at those two links I gave you and I think php.net has even more info on register globals if you search.

Cgraz

vaska

ok...now that is very helpful...maybe i'm not sunk...i looked up those references a php.net...another Q if you don't mind...

i'm having some really strange results...like queries not returning information...

Example: i am displaying values in text fields so they can be updated to the database...but they won't show up now on this new server...it's a simple...

<? echo $row_proj['projfirm']; ?>

but should i be doing something else with $GET? how would i write this...i tried <? echo $GET['projfirm']; ?> but i'm sure that's too obvious...

cgraz

Where is this variable

<? echo $row_proj['projfirm']; ?>

coming from? I'm guesing you have an associative array called $row_proj and one of the keys is projfirm? Is this coming from a form? from a url? Could you post your code?

If you have a form

Then in PHP, with register globals off, you'd call that using


$_POST['row_proj']; // (assming your method is post on your form)

If you form field looked like this:

Then in php you'd call it using

$_POST['whatever'];

Cgraz

vaska

no...it's coming from a query from the database...

i'm sorry...i'm now talking about a different thing now...

my <? echo $row_proj['whatever']; ?> aren't working now on the pages where i edit information...they are inside of text fields...

i thought maybe this was a globals issue...they work beautifully on the other server...

sigh...jv

cgraz

Then you wouldn't need $_POST if it's coming directly out of the database. What do you mean it's not working? It just doesn't have any value at all,? Can you post some of your code. Maybe I can help.

Cgraz

vaska

hey man...thanks...here's some code...this is simple stuff...and i don't get why it's not working...

//// THE query

$query = mysql_query ("SELECT * FROM projects WHERE id='$id' ") or die ("Problem in user SQL select. Please contact support@vaska.com for support.");
$row_proj = mysql_fetch_array($query);

// delete record
if ($delete) {
$result = mysql_query ("DELETE FROM projects WHERE id='$id'") or die ("Problems 1!");
$lastid = mysql_insert_id();
header("Location: proj_edit.php"); }

blah, blah...html and such...sample text field below...

<input name="projnumber" type="text" value="<? echo $row_proj['projnumber']; ?>" style="width:200px;height:20px;">

it WORKS on my dev server which has register_globals ON...but not on the client server where they are OFF (but i just spoke with tech support - in the phillipines - and they say they will turn them on)...

any ideas...i mean...this is basic stuff...and the data just will not display now...jv

vaska

thanks, thanks, thanks...

i'm know i'm a pest...but i'm also addicted to learning how to do more php stuff...

BUT...they just turned the globals ON and everything works again...

thanks again for all the input...i can't believe that i've learned how to do these things...jv

EDIT...ummm...i mean...that i am "learning" how to do these things...haha...