Not taking _GET values

Swedie

Hi all,
I have moved over my website from one webserver to another. It is a fresh install of PHP and MySQL on the new server. We've made sure it is the same PHP version and MySQL version. So that is not the problem. The problem consists in the settings. But I cannot find what is causing it.

So here's the problem.

On my person page here:
www.sporthoj.com/rr

My menu buttons have stopped working. On the old server it would switch page content, but on the new server it does not. I believe it has to do with the $_GET variable. But I could be wrong.

Anyone? Please.

thanks

devinemke

sounds like perhaps register_globals was ON on the old server and is OFF on the new server.

Swedie

Yeah that is probably it.. darn.

How bad really.. is it to turn register_globals on? It says there's a security risk to it... but really though. What does open up that could be harmful to the system?

pjleonhardt

Say you have something like the following..

<?php

//(let us say $id is the name of a hidden field in a form on the previous page)
//Register globals is on

$query = mysql_query("SELECT name from `table` WHERE id=$id"); //for simplicity

//loop through results, do w/e with data..

?>

Now, somebody can go directly to the page.. say info.php
and say info.php?id=12

This might not seem too dangerous
but what if they said
info.php?id=0 OR DELETE from table WHERE 1=1

now, would you still have a table left?

Basically, global varials being off allows you to verify the source of the information.