[RESOLVED] Script broken after move to PHP 4.4.7

Taco

I'm having trouble with some of my PHP scripts after I moved my site to a new server that is running PHP 4.4.7. They were previously functional on the old server running 4.4.3. I'm wondering if my code is no longer compatible with changes made in 4.4.7, or if I need to change a setting/recompile apache. My PHP info can be found here: [fixed] and the PHP info for the server it previously was running on here: [fixed]

Unfortunately no errors are being produced, so I don't know where to start. The live broken version of this is here: [fixed] and the old one that works properly is here: [fixed]

If my code is not compatible, what changes should I make? I'm hoping I won't have to rewrite everything. Any help or insight you can offer would be greatly appreciated!

<?
$configfile = "db.php";
require $configfile;
$db = mysql_connect("$host", "$username", "$password");
mysql_select_db("$databasename", $db);

if($word)
{
$getWord=mysql_query("SELECT word,definition FROM glossary WHERE approved='1' AND word LIKE '%$word%' ORDER BY word", $db);

if($getWordArray=mysql_fetch_array($getWord))
{
echo "<h1>Glossary:  $word</h1>";
do
{
echo "<h4>";
printf($getWordArray["word"]);
echo "</h4>";
echo "<p class=\"text\">";
printf($getWordArray["definition"]);
echo "</p>";
}
while($getWordArray=mysql_fetch_array($getWord));
echo "<br />";
}
else
{
echo "<h1>Glossary:  $word</h1>";
echo "<p class=\"text\">Sorry there are no matches for $word</p>";
}
}
if($letter)
{
if($letter=="Numbers")
{
$getWord=mysql_query("SELECT word,definition FROM glossary WHERE approved='1' AND word LIKE '0%' OR word LIKE '1%' OR word LIKE '2%' OR word LIKE '3%' OR word LIKE '4%' OR word LIKE '5%' OR word LIKE '6%' OR word LIKE '7%' OR word LIKE '8%' OR word LIKE '9%' ORDER BY word", $db);
}
if($letter=="All")
{
$getWord=mysql_query("SELECT word,definition FROM glossary WHERE approved='1' ORDER BY word", $db);
}
else
{
$getWord=mysql_query("SELECT word,definition FROM glossary WHERE approved='1' AND word LIKE '$letter%' ORDER BY word", $db);
}

if($getWordArray=mysql_fetch_array($getWord))
{
echo "<h1>Glossary: $letter</h1>";
do
{
echo "<h4>";
printf($getWordArray["word"]);
echo "</h4>";
echo "<p class=\"text\">";
printf($getWordArray["definition"]);
echo "</p>";
}
while($getWordArray=mysql_fetch_array($getWord));
echo "<br />";
}
else
{
echo "<h1>Glossary: $letter</h1>";
echo "<p class=\"text\">Sorry, there are currently no words under <b>$letter</b></p>";
}
}
if(!$word&&!$letter)
{
echo "<h1>Glossary Of Terms</h1>";
echo "<p class=\"text\">This glossary contains terms and acronyms commonly used in the hobby. Also included are definitions of common forum and chat room lingo. To view all terms at once <a href=\"?letter=All\">click here</a>.</p>";
}
if($word||$letter)
{
echo "<br /><br />";
}
echo "<p class=\"text\">Search for the a word or browse the glossary by letter:</p>";
echo "<div style=\"width:300;padding-left:20px;\"><form name=\"getword\" action=\"\" method=\"get\"><input name=\"word\" type=\"text\" value=\"\" class=\"text\" /> <input type=\"submit\" value=\"Search\" /></form></div>";
echo "<p class=\"text\">Browse by letter<br />";
echo "<a href=\"?letter=Numbers\">#</a>&nbsp;&nbsp;";
echo "<a href=\"?letter=A\">A</a>&nbsp;&nbsp;";
echo "<a href=\"?letter=B\">B</a>&nbsp;&nbsp;";
echo "<a href=\"?letter=C\">C</a>&nbsp;&nbsp;";
echo "<a href=\"?letter=D\">D</a>&nbsp;&nbsp;";
echo "<a href=\"?letter=E\">E</a>&nbsp;&nbsp;";
echo "<a href=\"?letter=F\">F</a>&nbsp;&nbsp;";
echo "<a href=\"?letter=G\">G</a>&nbsp;&nbsp;";
echo "<a href=\"?letter=H\">H</a>&nbsp;&nbsp;";
echo "<a href=\"?letter=I\">I</a>&nbsp;&nbsp;";
echo "<a href=\"?letter=J\">J</a>&nbsp;&nbsp;";
echo "<a href=\"?letter=K\">K</a>&nbsp;&nbsp;";
echo "<a href=\"?letter=L\">L</a>&nbsp;&nbsp;";
echo "<a href=\"?letter=M\">M</a>&nbsp;&nbsp;";
echo "<a href=\"?letter=N\">N</a>&nbsp;&nbsp;";
echo "<a href=\"?letter=O\">O</a>&nbsp;&nbsp;";
echo "<a href=\"?letter=P\">P</a>&nbsp;&nbsp;";
echo "<a href=\"?letter=Q\">Q</a>&nbsp;&nbsp;";
echo "<a href=\"?letter=R\">R</a>&nbsp;&nbsp;";
echo "<a href=\"?letter=S\">S</a>&nbsp;&nbsp;";
echo "<a href=\"?letter=T\">T</a>&nbsp;&nbsp;";
echo "<a href=\"?letter=U\">U</a>&nbsp;&nbsp;";
echo "<a href=\"?letter=V\">V</a>&nbsp;&nbsp;";
echo "<a href=\"?letter=W\">W</a>&nbsp;&nbsp;";
echo "<a href=\"?letter=X\">X</a>&nbsp;&nbsp;";
echo "<a href=\"?letter=Y\">Y</a>&nbsp;&nbsp;";
echo "<a href=\"?letter=Z\">Z</a>&nbsp;&nbsp;";
echo "<a href=\"?letter=All\">View All</a>&nbsp;&nbsp;";
echo "<a href=\"add.php\">Add A Word</a>&nbsp;&nbsp;";
echo "<br /></p>"; ?>

NogDog

This line...

if($word)

...has me wondering if the problem could be that the script expects register_globals to be turned on, since I don't see $word defined anywhere (unless it's set in the include file?). If so, the quick solution would be to turn register_globals on, but the better solution would be to leave it off (now the default setting) and modify the script to use the applicable $GET or $POST array elements.

bradgrafelman

Looks like that script depended on register_globals.

Instead of $word, you need to use $GET['word']. If you want to use $word, you have to explicitly define it:

$word = $_GET['word'];

Same for POST, SESSION, COOKIE variables. More information on these superglobal arrays can be found here: [man]variables.predeinfed[/man].

Also, instead of code such as

if ($word) {

, you should be using something like:

if (!empty($word)) {

if (!isset($_GET['word']))

You have a problem with your SQL code as well. Since you call [man]mysql_fetch_array/man in the if() statement before the loop, you're always losing the first value of the SQL result set. In fact, if you only have 1 result returned, it'll be as if

In addition, it appears as though you're vulnerable to SQL injection attacks. User-supplied data should never be placed directly into a SQL query! Instead, sanitize it with a function such as [man]mysql_real_escape_string/man.

EDIT: Ah, NogDog posted while I was typing. :p Also, something I forgot to mention; you shouldn't use the deprecated "<?" short tags. Instead, use the full "<?php" tags.

Taco

Thank you both for all your help! Register_globals is the problem.

Also thanks for some tips on rewriting my code. I hadn't realized "<?" short tags had been depreciated! I never liked how this one turned out, but it was a quick 'n dirty job. I'll work on getting it cleaned up.

bradgrafelman

Taco wrote:
Register_globals is the problem.

Well, register_globals isn't the problem... using $word instead of $_GET['word'] is the problem. It's just that this directive had been enabled for many older versions of PHP that programmers got used to using it despite the security exploits it presents.

Anyways, don't forget to mark this thread resolved (if it is).

Taco

Yeah, you're right. I'm going to try to get it rewritten so I can turn off register_globals again. I'm glad that I'm aware of all this now!