Variables not passing via URL

dpfletch

Hi everyone

I'm having trouble with variable passing via URL. I have recently upgraded from apache 1.3 to 2.0 and am using PHP4.

When I was using apache 1.3, variable passing was a doddle ... simply adding:

?var=value

to the end of the URL passes the variable to the next PHP page, but now that I am running apache 2.0, it's all stopped working.

I now cannot pass any variables via the URL.

I suspect it is a configuration issue of either apache or php, but it's got me stumped ... then again I may be barking up the wrong tree :rolleyes:

If anyone has any ideas or needs more info, please let me know!!

Thanks in advance!

dpfletch

UPDATE

I have just found that NO variables are being passed at all, either via GET or POST with form data.

hkucsis

try using $POST["variable"] and $GET["variable"] to access the variables

Kame

Make sure 'register_globals' is set to 'On' in php.ini. After you reset this, you will need to reboot.

hkucsis

better not set register_globals on for security reason

Kame

Never mind. I don't think it's the register globals because POST doesn't work either.

But why is having register_globals on a security threat? Don't most server (including this one) have it set to on? How can you have a Query String without it?

suckand

try it, i had the same problem...

most servers have register_globals set to on because of functionality reasons - as you mentioned yourself

BuzzLY

If you have a query string like this:

http://www.server.com/dir/hello.php?foo=1&bar=2

Then you can get to the foo and bar values by accessing $foo and $bar, IF REGISTER_GLOBALS IS ON. However, this is a security problem. Let's say you have the following code for the page http://www.server.com/info.php:

if ($logged_in = "1") {
header("Location: http://www.server.com/securepage.php");
} else {
header("Location: http://www.server.com/loginpage.php");
}

If register_globals is ON, all a hacker has to do to get to the secure page is type in http://www.server.com/info.php?logged_in=1 and he's looking at your secure page.

If you turn OFF register_globals, then the hacker won't be able to pass in the variable as easily if you use cookies or a post. To access the variable yourself, you retrieve it like so:

$logged_in = $POST['logged_in'];
or
$logged_in = $COOKIE['logged_in'];

For more information about this topic, check the following link. Be sure to read the full discussions... there is some valuable information there as well:

Using Register Globals (php.net)

The reason many sites have register_globals = ON is that prior to 4.1.0, that was the default setting. Because of this, many coders used global variables in their code, and even though they have upgraded their servers, it would take too much effort and time to go through all of their code fixing the variables.

My STRONG suggestion to you is this: If you are installing PHP new, leave the default register_globals to OFF. Even if you are coding pages on a server with it set to ON, code your pages as if it were off. Your pages will be more portable, much more secure, and most important, will not break once the register_globals setting is OFF in the future.

dpfletch

Guys,

Many many thanks for your replies!!!

It would appear than my earlier install of apache and php has register_globals set to ON and the newer install it is set to OFF.

Once, I'd altered the code to include $_GET['variable'] then the variables passed the pages nicely. 😃

Sweet!