[Resolved] URL Variables

sclark3509

I've been told that PHP5 has eliminated the use of embedding variables in the url for transmission betweeen pages because of the massive security flaw therein. Is this true?

This poses a problem for me. I designed a php interface for accessing various pages of text by altering a variable saying which page it was reading in. As an example

There are a bunch of files called page1.htm, page2.htm... page#.htm

index.php executes

include(page$currentPage.htm);

to get the current text file. The text appears above forward and backward buttons. Those buttons are linked to

index.php?currentPage=#

where the # is incremented or decremented based on if it was forward or backward. This was a very effective way of getting this done.

Unfortunately, it is not working on the PHP5 server. The variable will change and be there in the header, but the code doesn't recognize the variable as being there. I tried to see if there was a typo or something somewhere by doing this(for index.php?currentPage=#):

<?php
if(isset($currentPage)) echo('Current page loaded');
else echo('No current page loaded, loading default');
...

and every time I got the else echo. The url had no typo. Is there a way I can work around this without using external pages to increment or decrement a session variable? Or was there a syntax change or something?

By the way, this system works perfectly on my personal server, which is PHP4

goldbug

Originally posted by sclark3509
I've been told that PHP5 has eliminated the use of embedding variables in the url for transmission betweeen pages because of the massive security flaw therein. Is this true?

Whoever told you that, is mistaken. Assuming you're talking about a standard HTTP GET request, PHP5 handles them just fine.

index.php executes
include(page$currentPage.htm);
to get the current text file. The text appears above forward and backward buttons. Those buttons are linked to

index.php?currentPage=#

where the # is incremented or decremented based on if it was forward or backward. This was a very effective way of getting this done.

Unfortunately, it is not working on the PHP5 server. The variable will change and be there in the header, but the code doesn't recognize the variable as being there. I tried to see if there was a typo or something somewhere by doing this(for index.php?currentPage=#):
<?php
if(isset($currentPage)) echo('Current page loaded');
else echo('No current page loaded, loading default');
...
and every time I got the else echo. The url had no typo. Is there a way I can work around this without using external pages to increment or decrement a session variable? Or was there a syntax change or something?

By the way, this system works perfectly on my personal server, which is PHP4 [/B]

Your code, in addition to being possibly insecure, will not work in PHP5 by default due to the register_globals setting in php.ini. You can change this setting to allow your code to work in PHP5, but you're bettter off using the $_GET and related superglobals.

sclark3509

Alright, I'm glad to know I don't have to completely rewrite my system. I'll look in the manual for the supers.

As per the security, I'm aware it's insecure. I'm trying to teach myself PHP and mySQL, so I know nothing about security. Since you bring that up though, I'll try to find resources on making it more secure. Thanks for the feedback.

Weedpacket

Originally posted by goldbug
Whoever told you that, is mistaken. Assuming you're talking about a standard HTTP GET request, PHP5 handles them just fine.

I remember working in PHP3, which didn't have native session management - you had to write your own or use a third-party library. Otherwise you did need to put everything in the URL or hidden form fields to pass them from page to page. PHP4 came as a huge relief!