Global Variables Advice !!!

php_2004

Hi,
I have created a site that replies on global variables being "ON", for some of the functionality to work.

The problem i have is that the hosting company, which i rent my space from changed their server over the weekend, so that global variables (register_globals) are now "OFF", so as you can probably guess the functionality does not work now.

In order to get around the problem, a friend suggested i use something like so:

$system = $_REQUEST['system'];

to say collect a variable of an address, i.e.

http://somesite.com/admin.php?system=home

Firstly is this a good way of collecting the variable and do i have to use the $_REQUEST[' '] for every variable on the page?

Thanks for any help or advice in advance.....

onion2k

In all honesty, the best way around this issue is to revisit your code and make it work with globals switched off. Its a security hole you could drive a bus through. Basically, you can't trust any of the values you're getting from any $POST or $SESSION variables.

If you must take the lazy route...

foreach ($_REQUEST as $varname => $value) {
  $$varname = $value;
}

I've not tested that btw. $$varname is not a typo, its a reference. And yes, you'd need that on every page.

Still a very bad idea.

drew010

hehe you beat me by a second 🙂

foreach($_REQUEST as $var => $value) {
$$var = $value;
}

laserlight

You could also [man]extract/man the superglobal array, but as onion2k mentioned, it defeats the purpose of having register_globals off.

php_2004

would i need that section of code for each variable that is defined on the page?

For example i have a registeration page, which submitted back to itself when the user selects the submit button. As you can see below

<?
<form method="post" action="register.php">
<table border="0">
<tr class="main">
<td width="50">First Name</td>
<td width="200" align="left"><input type="textfield" size="30" maxlength="128"
name="frmFirstName" value="<?php 
if (!empty($_POST['frmFirstName'])) 
    echo  htmlspecialchars(stripslashes($_POST['frmFirstName'])); ?>">
<img src="question4.jpg" alt="Please enter your first name, e.g. Joe" height="16" width="20" align="center">
</td>
<td>
<? if(isset($check)){if(empty($frmFirstName)){ echo "<li>Required Field !!\n</li>";}}?>
</td>
</tr>

<td width="50">Last Name</td>
<td width="200" align="left"><input type="textfield" size="30" maxlength="128"
name="frmLastName" value="<?php
if (!empty($_POST['frmLastName']))
    echo  htmlspecialchars(stripslashes($_POST['frmLastName']))
;
?>">
<img src="question4.jpg" alt="Please enter your last name, e.g. Bloggs" height="16" width="20" align="center"> 
</td>
<td>
<? if(isset($check)){if(empty($frmLastName)){ echo "<li>Required Field !!\n</li>";}}?>
</td>
</tr>

<tr class="main">
<td width="50">House/Flat Number</td>
<td width="200" align="left"><input type="textfield" size="4" maxlength="4"
name="frmHouseNumber" value="<?php 
if (!empty($_POST['frmHouseNumber'])) 
    echo  htmlspecialchars(stripslashes($_POST['frmHouseNumber']))
; 
?>">
<img src="question4.jpg" alt="Please enter your house or flat number, e.g. 17" height="16" width="20" align="center"> 
</td>
<td>
<? if(isset($check)){if(empty($frmHouseNumber)){ echo "<li>Required Field !!\n</li>";}}?>
</td>
</tr>
<tr class="main">
<td width="50">Street</td>
<td width="200" align="left"><input type="textfield" size="30"
name="frmStreet" value="<?php 
if (!empty($_POST['frmStreet'])) 
    echo  htmlspecialchars(stripslashes($_POST['frmStreet']))
; 
?>">
<img src="question4.jpg" alt="Please enter your street or road name, e.g. North Rd" height="16" width="20" align="center">
</td> 
<td>
<? if(isset($check)){if(empty($frmStreet)){ echo "<li>Required Field !!\n</li>";}}?>
</td>
</tr>
<tr class="main">
<td width="50">Town / City</td>
<td width="200" align="left"><input type="textfield" size="30" maxlength="128"
name="frmTown" value="<?php 
if (!empty($_POST['frmTown'])) 
    echo  htmlspecialchars(stripslashes($_POST['frmTown']))
; 
?>">
<img src="question4.jpg" alt="Please enter the town where you live, e.g. Northampton" height="16" width="20" align="center"> 
</td>
<td>
<? if(isset($check)){if(empty($frmTown)){ echo "<li>Required Field !!\n</li>";}}?>
</td>
</tr>
<tr class="main">
<td width="50">Post Code</td>
<td width="200" align="left"><input type="textfield" size="10" maxlength="8"
name="frmPostCode" value="<?php 
if (!empty($_POST['frmPostCode'])) 
    echo  htmlspecialchars(stripslashes($_POST['frmPostCode']))
; 
?>">
<img src="question4.jpg" alt="Please enter your post code, e.g. NN17 7XY" height="16" width="20" align="center"> 
</td>
<td>
<? if(isset($check)){if(empty($frmPostCode)){ echo "<li>Required Field !!\n</li>";}}?>
</td>
</tr>
<tr class="main">
<td width="50">Sex</td>
<td width="200" align="left"> 
 <input type="radio" name="frmSex" value="M">Male 
<input type="radio" name="frmSex" value="F">Female 
<img src="question4.jpg" alt="Please select your sex, e.g. Male or Female" height="16" width="20" align="center">
</td>
<td>
<? 
if(isset($check)){

  if(empty($frmSex))
  { 
  echo "<li>Required Field !!\n</li>";
  }
}
?>
</td>
</tr>

<tr class="main">
<td width="50">Email</td>
<td width="200" align="left"><input type="textfield" size="35" maxlength="255"
name="frmEmail" value="<?php 
if (!empty($_POST['frmEmail'])) 
    echo  htmlspecialchars(stripslashes($_POST['frmEmail']))
; 
?>">
<img src="question4.jpg" alt="Please enter a vaild email address, e.g. [email]joe@bloggs.co.uk[/email]" height="16" width="20" align="center"> 
</td>
<td>
<? if(isset($check)){

if(empty($frmEmail)){ 

echo "<li>Required Field !!\n</li>";
}

elseif(!empty($frmEmail)){

	if (!eregi ("^[[:alnum:]][a-z0-9_.-]*@[a-z0-9.-]+\.[a-z]{2,4}$",
	stripslashes(trim($frmEmail))))
{
echo "<li>Email address entered is not a valid format!</li>\n";
}
}
}


?>
</td>
</tr>

<tr class="main">
<td width="50"></td>
<td width=200" align="center"><br />Please Chose A <br /><b>Username</b> and <b>Password</b></td>
</tr>

<tr class="main">
<td width="50">Username</td>
<td width="200" align="right"><input type="textfield" size="11" 
name="frmUsername" value="<?php 
if (!empty($_POST['frmUsername'])) 
    echo  htmlspecialchars(stripslashes($_POST['frmUsername']))
; 
?>">
<img src="question4.jpg" alt="Please select a username, this must be between 4 and 10 Characters and made up of numbers and letters, e.g. joe29" height="16" width="20" align="center"> 
</td>
<td>
<? 
if(isset($check)){

if(empty($frmUsername)){ echo "<li>Required Field !!\n</li>";
}

elseif(!empty($frmUsername)){

$Username = $_POST['frmUsername'];

if(strlen($Username)<4){//check that at least 4 characters have been entered
    echo"<li>The username entered is too short, please try again !!</li>";
  }else{
$usermin="ok";
}
if(strlen($Username)>=11){//check if username is too large to add to the database
    echo"<li>The username entered is too large, please try again !!</li>";
  }else{
$usermax="ok";
}                               


//make an object of the wrapperclass
$forum=new ForumInterface();

//make db connection
$forumpointer=$forum->connect();


//get records
$count = $forum->checkregisterusername($Username);


if ($count !=0)  {

echo"<li>Username has already been taken</li>";


//disconnect to db
$forum->Disconnect($forumpointer);

  }
 }
}
?>
</td>
</tr>

<tr class="main">
<td width="50">Password</td>
<td width="200" align="right"><input type="password" size="11" maxlength="10"
name="frmPassword"> 
<img src="question4.jpg" alt="Please enter a password, this must be between 8 and 10 characters, e.g. hellojoe " height="16" width="20" align="center"> 
</td>
<td>
<? if(isset($check)){
if(empty($frmPassword)){ 
echo "<li>Required Field !!\n</li>";
}
elseif(!empty($frmPassword)){

$Password = $_POST['frmPassword'];

if(strlen($Password)<=7){//check that at least 8 characters have been entered
    echo"<li>The password entered is too short, it must be at least 8 characters !!</li>";
  }else{
$min="ok";
}
if(strlen($Password)>=11){//check if password is less that 10 charcters
    echo"<li>The password entered is too large, it must be less than 10 characters !!</li>";
  }else{
$max="ok";
}
}
}
?>
</td>
</tr>

<tr class="main">
<td width="50">Please Retype your Password</td>
<td width="200" align="right"><input type="password" size="11" maxlength="10"
name="frmCheckPassword">
<img src="question4.jpg" alt="Please re-enter the Password you just entered into the password field" height="16" width="20" align="center">  

</td>
<td>
<? if(isset($check)){if(empty($frmCheckPassword)){ echo "<li>Required Field !!\n</li><br />";}

elseif(!empty($frmCheckPassword)){
if($frmPassword !=="$frmCheckPassword"){


print"<li><b>retype password</b> does not match the <b>password</b> you entered</li>";

  }
 }
}
?>
<tr class="head">
<input type="hidden" name="check" value="joe">
<br />
<td colspan="2" align="right"><input type="submit"
value="Submit"></td>
</tr>
</table>
</form>
</center>
<?


if( !empty($frmFirstName) AND !empty($frmLastName) AND !empty($frmHouseNumber)
AND !empty($frmStreet) AND  !empty($frmTown) AND !empty($frmPostCode) AND
!empty($frmSex) AND !empty($frmEmail) AND !empty($frmUsername) AND !empty($frmPassword) AND !empty($frmCheckPassword) AND !empty($frmTerms)
AND $usermin=="ok" AND $usermax=="ok" AND $min=="ok" AND $max=="ok"){

//set variable for database inserts

$FirstName      = $_POST['frmFirstName'];
$LastName       = $_POST['frmLastName'];
$HouseNumber    = $_POST['frmHouseNumber']; 
$Street         = $_POST['frmStreet'];
$Town           = $_POST['frmTown']; 
$PostCode       = $_POST['frmPostCode'];
$Sex            = $_POST['frmSex'];
$Email          = $_POST['frmEmail'];
$Username       = $_POST['frmUsername'];
$pass           = $_POST['frmPassword'];
$check          = $_POST['check'];

//encrypt password with MD5 

$Password       = md5($pass);



//make an object of the wrapperclass
$forum=new ForumInterface();

//make db connection
$forumpointer=$forum->connect();

//insert record
$forum->addNewUser($FirstName, $LastName, $HouseNumber, $Street, $Town, $PostCode, $Sex, $Email, $Username,
$Password, $pass);

//disconnect to db
$forum->Disconnect($forumpointer);

}
?>

onion2k

You'd just need to add the little section of code in at the top of the script. It loops through all the variables in the $_REQUEST array and puts them in the symbol table making them into ordinary variables.

I would note though, in that code you're mixing $POST['frmFirstName'] in some places with $frmFirstName in others. Thats pretty unreadable, and adding a hack to register the $REQUEST vars will make it a proper nightmare if anyone comes to edit your code in the future (including you).

Theres another option I didn't think of last night.. fire up Textpad (or a similar text editor) and search/replace each of the variables in turn. So you'd search "$frmFirstName" and replace it with "$_POST['frmFirstName']". It'd be a pain if theres a massive number of variables, but you'll benefit if you come back to the code in 6 months...

php_2004

oh i see, so what you saying the piece of code that was suggested, will poll around all the $REQUEST, $GET, $_POST and allow them to be used as normal?

onion2k

Originally posted by php_2004
oh i see, so what you saying the piece of code that was suggested, will poll around all the $REQUEST, $GET, $_POST and allow them to be used as normal?

Yes. $REQUEST is an array that contains everything from $GET, $POST and $COOKIE.

php_2004

just one more query,

on my login page i set a number of session variables, from what you have said $SESSION isn't part of the $REQUEST group,

how could i collect my session variable on my admin page?

onion2k

Exactly the same code, but replace $REQUEST with $SESSION.

foreach ($_SESSION as $varname => $value) {
  $$varname = $value;
}

Again, you'd need that at the top of every page.

php_2004

i have a little problem,

my login script seems to be setting the session variable, but when they are collected on the admin page they are blank. the database query seems to be fine.

i.e. access is given to the admin page, but i have echo the varaibles and they seem to empty.????

any ideas????

onion2k

Are you echoing them before or after the section of code near the end that starts "$FirstName = $_POST['frmFirstName'];"?

php_2004

after??

seems to be accessing the 'admin' page, but no html content is being shown..