PHP Script does not work after upgrade to PHP5

Senad

I'm trying to make my site work again like it did before. Basically the index page would use the include function to add content so instead of editing each page when a link change occurred I would just edit the index.php file. Unfortunetly after turning register_globals=off for security reasons and upgrading to php5 (I can't tell what the reason is) my code is not working anymore.

<?php

$default = "welcome";

if($page == ""){$page = $default;} 

include("./$page.php")

?>

I have no idea why this is not working anymore as it shouldn't affect the site.

The current effect is that it is loading the main site if I click on any of the tutorial links instead of loading the content in the middle (The site can be seen at: www.pingpros.com. Thanks for your help!

Houdini

Your site is down at least a couple of seconds ago.
do a phpinfo on your site and present the results.

<?php
phpinfo();
?>

Senad

I accidentally added a ) in the link. It should work now as I edited the post.

The PHP info page can be seen at:

http://www.pingpros.com/phpinfo.php

Thanks again for your help.

stolzyboy

where is $page coming from?

a query string like: http://www.domainname.com/page.php?page=home

if so, you likely need to use $_GET['page'] instead of $page, register_globals is likely turned OFF (which is a good thing) so you'll need to do some upgrading of your scripts as well

Houdini

Turn them off if you can control the php.ini (heck I though PHP 5 already turned them off by default). Fix that and retry your script with $_GET['page']. It is not good to have register_globals ON turn them off for your safety.

Read the article from the PHP Manual concerning register_globals directive

Chapter 29. Using Register Globals

Perhaps the most controversial change in PHP is when the default value for the PHP directive register_globals went from ON to OFF in PHP 4.2.0. Reliance on this directive was quite common and many people didn't even know it existed and assumed it's just how PHP works. This page will explain how one can write insecure code with this directive but keep in mind that the directive itself isn't insecure but rather it's the misuse of it.

When on, register_globals will inject your scripts with all sorts of variables, like request variables from HTML forms. This coupled with the fact that PHP doesn't require variable initialization means writing insecure code is that much easier. It was a difficult decision, but the PHP community decided to disable this directive by default. When on, people use variables yet really don't know for sure where they come from and can only assume. Internal variables that are defined in the script itself get mixed up with request data sent by users and disabling register_globals changes this. Let's demonstrate with an example misuse of register_globals:

Example 29-1. Example misuse with register_globals = on
<?php
// define $authorized = true only if user is authenticated
if (authenticated_user()) {
   $authorized = true;
}

// Because we didn't first initialize $authorized as false, this might be
// defined through register_globals, like from GET auth.php?authorized=1
// So, anyone can be seen as authenticated!
if ($authorized) {
   include "/highly/sensitive/data.php";
}
?>
When register_globals = on, our logic above may be compromised. When off, $authorized can't be set via request so it'll be fine, although it really is generally a good programming practice to initialize variables first. For example, in our example above we might have first done $authorized = false. Doing this first means our above code would work with register_globals on or off as users by default would be unauthorized.

Another example is that of sessions. When register_globals = on, we could also use $username in our example below but again you must realize that $username could also come from other means, such as GET (through the URL).

stolzyboy

yes, i know his info page shows that, however he specifically said it was off, so i went with that theory to fix his issue

Houdini

While that might be true the register_globals show that it is in fact global_registers=on but after looking at the site now it appears to be working so apparently some advise has been taken and your first answer was correct..sorry for butting in.

Senad

Houdini wrote:
While that might be true the register_globals show that it is in fact global_registers=on but after looking at the site now it appears to be working so apparently some advise has been taken and your first answer was correct..sorry for butting in.

I had to turn register_globals on to test. I have turned them off again and now nothing works.

I am not very php saavy but I tried using the Get code method:

<?php

$default = "welcome";

if($page == ""){$page = $default;} 

$_GET['page']

?>

Note the page parameter has another parameter I set that is breaking Top 10 Posters without the page. Any tips and points can really be appreciated. I definitely am interested in starting to code without global_registers but the code I did has been over 5 years now and my technical know how has altered grossly from coding to network and network security.

Weedpacket


$default = "welcome";

if($page == ""){$page = $default;} 

$_GET['page']

That's not going to work: you're still assuming that $page is going to contain what you want, and you're not doing anything with $_GET['page'].
Have a read of what the manual says about getting variables from outside PHP (and maybe the relevant tutorial), and you should have more success.