PDA

View Full Version : PHP: tips for register_globals = Off


Rower_CPU
Mar 5, 2004, 06:30 PM
I just wanted to mine to knowledge base here to see what kinds of experiences fellow developers have had with development without relying on GPC registration.

I'm trying to update old pages and start developing new ones adhering to the better/stricter PHP configuration that's used nowadays. What should I look out for? What kinds of pitfalls are there?

What tips/tricks have people come across to make the transition easier? What resources have people found?

Maybe you're getting started with PHP dev and want to know what they heck we're talking about. Chime in!

TIA :)

mvc
Mar 5, 2004, 07:55 PM
I am relieved I started in PHP after the register globals change. I feel for anyone maintaining legacy code.

I always try to use $_SESSION["variablename"], $_POST["variablename"], $_GET["variablename"] wherever these items occur as it always seemed more measured and specific.

And no, I don't declare all my other variables at the top of the page, I'm as sloppy with normal variables as the next PHP coder. But these global items are a bit frightening and need a close eye kept on them.

Using the $_SESSION[] form of global variables also makes find & replace and code clarity a lot simpler. Its makes finding all the places you've referred to a session/post/get variable in all your code a lot simpler without resorting to contrived variable naming structures.

sonofslim
Mar 6, 2004, 10:25 AM
i like to extract my globals at the top of the script. it helps me be sure from the get-go that i'm using safe versions of the variables when i call them further down. and it also prevents a lot of problems if a particular global's scope doesn't extend to a certain function or class.

godrifle
Mar 18, 2004, 08:51 PM
Hi guys. I'm a total n00b to PHP. I've been learning bits and pieces on my own, but come to find out that register_globals has been on all this time on my learning computer. I understand the reason this is bad. But I don't know how to handle the transition.

First, what's the difference between POST and GET in a form? Does this have anything to do with globals?

Secondly, if I have a form on one page that's posting to another php page, how can I get variables passed from one to the other without register_globals turned on?

For example, page1.php has a form that populates $action, and page2.php contains code that acts upon the value of $action.

I am relieved I started in PHP after the register globals change. I feel for anyone maintaining legacy code. Do I just wrap the $action variable with $_SESSION["$action"]? Perhaps I need to understand the difference between $_SESSION, $_POST, and $_GET...

Sheesh. I'm not even sure where to start. :confused:

Thanks in advance!

I always try to use $_SESSION["variablename"], $_POST["variablename"], $_GET["variablename"] wherever these items occur as it always seemed more measured and specific.

And no, I don't declare all my other variables at the top of the page, I'm as sloppy with normal variables as the next PHP coder. But these global items are a bit frightening and need a close eye kept on them.

Using the $_SESSION[] form of global variables also makes find & replace and code clarity a lot simpler. Its makes finding all the places you've referred to a session/post/get variable in all your code a lot simpler without resorting to contrived variable naming structures.

sonofslim
Mar 18, 2004, 09:26 PM
well, in a nutshell: POST and GET are two methods HTTP uses to transmit variables. take this example, in plain HTML:
<form method="post"><input type="hidden" name="foo" value="bar" /></form>
what you're doing is creating a variable named foo with a value of bar. of course, this variable could be a text field, or a radio group, or whatever; in that case, the value would be whatever the user set it to.

when you submit that form, be it to the same script or another, the web server creates an array of variables and passes them along as well. php's $_POST array accesses these variables and allows you to use them.

the difference between POST and GET is that post variables are hidden from the user; they're passed invisibly, behind the scenes. if you created a form that used the GET method, the variables would be passed in the URL. it might look something like this:

forums.macrumors.com/newreply.php?do=newreply&p=756803

where we're passing several variables to a script named newreply.php. the first variable is do, which has a value of newreply; this, presumeably, tells the script what kind of action we're taking. (new reply, as opposed to editing your last reply or something.)

the second variable is p, which i'm guessing in this case tells the script which thread we're replying to.

the critical difference between POST and GET is that POST varables, like i said, are passed behind the scenes. GET vars, on the other hand, can be spoofed. if you took our URL from above and changed that last string of digits, you might end up replying to some other thread.

now, in terms of php: if you have register_globals off, and you pass some variables to another script, you need to access those variables through the proper php arrays. that's because your new script doesn't know that these variables exist yet. in VERY broad strokes, that's what register_globals does: when on, it tells your scripts that there are a bunch of variables available to it. when off, it hides those variables until you access them in th proper way.

if i have a form that passes a variable foo, with value bar, to myscript.php, i have to extract foo before i can work with it -- it doesn't just automatically get declared.

if my form uses the POST method, i can get foo through the POST array: $_POST["foo"]. if i used the GET method, then i'd extract it with $_GET["foo"]. but if i just said "echo $foo;" it would be null. that's because my script doesn't know about the value i passed to $foo until i tell it.

i hope that makes sense; i know it's a pretty abridged explanation. please, ask questions if you got 'em...

godrifle
Mar 18, 2004, 10:07 PM
Makes complete sense. Thanks so much for sharing your knowledge and time. I'll give that a shot!

well, in a nutshell: POST and GET are two methods HTTP uses to transmit variables. take this example, in plain HTML:
<form method="post"><input type="hidden" name="foo" value="bar" /></form>
what you're doing is creating a variable named foo with a value of bar. of course, this variable could be a text field, or a radio group, or whatever; in that case, the value would be whatever the user set it to.

when you submit that form, be it to the same script or another, the web server creates an array of variables and passes them along as well. php's $_POST array accesses these variables and allows you to use them.

the difference between POST and GET is that post variables are hidden from the user; they're passed invisibly, behind the scenes. if you created a form that used the GET method, the variables would be passed in the URL. it might look something like this:

forums.macrumors.com/newreply.php?do=newreply&p=756803

where we're passing several variables to a script named newreply.php. the first variable is do, which has a value of newreply; this, presumeably, tells the script what kind of action we're taking. (new reply, as opposed to editing your last reply or something.)

the second variable is p, which i'm guessing in this case tells the script which thread we're replying to.

the critical difference between POST and GET is that POST varables, like i said, are passed behind the scenes. GET vars, on the other hand, can be spoofed. if you took our URL from above and changed that last string of digits, you might end up replying to some other thread.

now, in terms of php: if you have register_globals off, and you pass some variables to another script, you need to access those variables through the proper php arrays. that's because your new script doesn't know that these variables exist yet. in VERY broad strokes, that's what register_globals does: when on, it tells your scripts that there are a bunch of variables available to it. when off, it hides those variables until you access them in th proper way.

if i have a form that passes a variable foo, with value bar, to myscript.php, i have to extract foo before i can work with it -- it doesn't just automatically get declared.

if my form uses the POST method, i can get foo through the POST array: $_POST["foo"]. if i used the GET method, then i'd extract it with $_GET["foo"]. but if i just said "echo $foo;" it would be null. that's because my script doesn't know about the value i passed to $foo until i tell it.

i hope that makes sense; i know it's a pretty abridged explanation. please, ask questions if you got 'em...

whocares
Mar 18, 2004, 10:42 PM
I am relieved I started in PHP after the register globals change. I feel for anyone maintaining legacy code.

If only I knew the bastard that turned it on in the first place! :( :mad: :mad: :p :p

So far I've just declared all necessary variables at the top of the script on my "legacy" code. Takes a couple of minutes but then it works just fine.

godrifle
Mar 19, 2004, 10:39 AM
Hi all. I'm struggling a bit, but digging this PHP stuff. I'm writing a little script for adding data to a mySQL database. This is the add script. It's my first ever, so I would appreciate feedback on how to accomplish what I'm attempting in a more elegant way (I'm assuming my script is not, er, elegant ;) ).

It works fine on a system that has register_globals turned on, but no so on one without. I can provide an URL for anyone wanting to see it in action, but don't want to publish it here.

Thanks in advance.


<html><head><title>Add Text Vignette</title></head>
<body>
<H3>Add A New Text Vignette</H3>
<BR>
<?
// SET VARIABLES (at production, move those that are security-related to an include ('non-public-directory/config.php') file
$version="0.2b";
$dbName="uccscob";
$tableName="tVignette";
$username="edited";
$password="edited";
$hostname="127.0.0.1";
$today = date('Y-m-d');

if (!$textItem1){
drawForm();
}

function drawForm(){ // GET CATEGORIES from vCategory table

global $dbName,$username,$password,$hostname,$today,$version;
$tableName="vCategory";

/*$dbName="uccscob";
$username="root";
$password="";
$hostname="127.0.0.1";
global $today; */

// MAKE DB CONNECTION
$conn = mysql_connect("$hostname", "$username", "$password");
if (!$conn) {
echo "Unable to connect to DB: " . mysql_error();
exit;
}
mysql_select_db("$dbName", $conn);
if (!mysql_select_db("$dbName")) {
echo "Unable to select $dbName: " . mysql_error();
exit;
}

//CREATE AND SUBMIT QUERY
$query = "SELECT * FROM $tableName";
$categories = mysql_query($query, $conn);
if (!$categories) {
$errors[] = "Could not run query ($query) against $tableName, to get category names.";
exit;
}

//CREATE FORM
print <<<HERE
<form method ="post" action ="add_tvignette.php">
<input type ="hidden" name ="tVignetteID" value ="">
<input type ="hidden" name ="userID" value ="1">

<font face=arial,helvetica size=2><B>Fill out the form below to create a new Text Vignette:</b>
</font><BR><BR>
<font face=arial,helvetica size=2><B>Text Item 1: </b></font>
<input type ="text" name ="textItem1" value ="" size="35" maxlength="35"><BR>
<font face=arial,helvetica size=2><B>Text Item 2: </b></font>
<input type ="text" name ="textItem2" value ="" size="35" maxlength="35"><BR>
<font face=arial,helvetica size=2><B>Text Item 3: </b></font>
<input type ="text" name ="textItem3" value ="" size="35" maxlength="35"><BR><BR>
<font face=arial,helvetica size=2><B>URL to Link To: </b></font>
<input type ="text" name ="linkURL" size="45" maxlength="255" value ="http://"><BR><BR>
HERE;
print "<font face=arial,helvetica size=2><B>Category: </b></font><SELECT NAME=\"vCategoryID\">";
print "<OPTION VALUE=\"\" SELECTED>Choose one";
while ($row = mysql_fetch_assoc($categories)){
extract($row);
print "<OPTION VALUE=\"$vCategoryID\">$name";
}
print <<<HERE
</SELECT>&nbsp;&nbsp;&nbsp;
<font face=arial,helvetica size=2><B>Date: </b></font>
<input type ="text" name ="date" size="10" maxlength="10" value ="$today"><BR><BR>
<input type ="submit" value="Add Vignette to Rotation Now">
</form>
<HR size=1>
<center><font face=arial,helvetica size=2><B>[&nbsp;<a href="./admin_tvignette.php?dbName=uccscob&tableName=tvignette">Administer Text Vignettes</a>&nbsp;|&nbsp;<a href="./add_tvignette.php">Add a New Text Vignette</a>&nbsp;]</b></font></center>
<HR size=1 width=400 align=center>
<BR>
<font face=arial,helvetica size=1 color=gray>v $version</font></body></html>
HERE;
exit;
} //end of drawForm()

// INSERT NEW RECORD

if (!$vCategoryID || !$textItem1 || !$textItem2 || !$textItem3 || !$linkURL)
{
echo "<font color=red><b>You didn't fill in all the required fields!</b> Go <a href=\"javascript:history.go(-1);\">back</a> and make sure all fields are filled in...</font><BR>";
echo "<a href=\"javascript:history.go(-1);\">&laquo; Back</a><BR>";
}

else
{
/* This is in anticpation of turning off register_globals
// So, I tried the extract method as well as defining each
// after turning off register_globals, to no avail. ARGGGH!
// UNWRAP VARIABLES PASSED FROM POST FORM
//extract($_POST);
$tVignette = $_POST['tVignette'];
$textItem1 = $_POST['textItem1'];
$textItem2 = $_POST['textItem2'];
$textItem3 = $_POST['textItem3'];
$linkURL = $_POST['linkURL'];
$vCategoryID = $_POST['vCategoryID'];
$userID = $_POST['userID'];
$date = $_POST['date'];
*/

// CONNECT TO DB
$conn = mysql_connect("$hostname", "$username", "$password");
if (!$conn) {
echo "Unable to connect to DB: " . mysql_error();
exit;
}
mysql_select_db("$dbName", $conn);
if (!mysql_select_db("$dbName")) {
echo "Unable to select $dbName: " . mysql_error();
exit;
}
//CREATE AND SUBMIT QUERY
$query = "INSERT INTO $tableName (tVignetteID, textItem1, textItem2, textItem3, linkURL, vCategoryID, userID, date) VALUES ('$tVignetteID', '$textItem1', '$textItem2', '$textItem3', '$linkURL', '$vCategoryID', '$userID', '$date')";
$categories = mysql_query($query, $conn);
if (!$categories) {
$errors[] = "Could not run query ($query) against $tableName, to get category names.";
}else
{
print "<font color=green><B>Text Vignette successfully added to rotation.</b> Click <a href=\"./admin_tvignette.php?dbName=uccscob&tableName=tvignette\">here</a> to view your new entry.</font>";
print "<BR><font face=arial,helvetica size=1 color=gray>v $version</font></body></html>";}
}
?>
</body></html>