PHP deprecated code?

746

HI all

Running PHP Version 5.2.11 and we've been given a site which we're told was running on an earlier version (4 possibly).

We've an odd problem where several pages which have a bunch of forms which update the MySql are not working. The problem is where the variables used in the update script are not being defined anywhere in the php before hand. eg.

UPDATE users SET FirstName='$form_firstname'WHERE UserID='$id'"

Now if we change it to..

$form_firstname = $_POST['form_firstname'];
UPDATE users SET FirstName='$form_firstname'WHERE UserID='$id'"

then the update works. We could do this for every single variable defined in every update statement but I'm thinking that seen as this must have worked previously we're looking at some deprecated code somewhere that forms these variables. I've looked for any

import_request_variables

statements but nada.

Can anyone think of anything that would be turned off by default in a new server that would cause this or does this variable have to be declared somewhere?

Cheers muchly

375

Answer

Solution:

This isregister_globals. DO NOT use this; it is a gaping security hole.

360

Answer

Solution:

As stated elsewhere, its because the original code was register_globals enabled - which is very bad practice.

As a quick hack you could add some code at the top of each page (in global scope):

extract($_GET); extract($_POST);

...which has much the same effect but on a script-by-script basis. But ONLY to keep the site running while you re-implement the code properly. Note that this is not the only problem with the code - splicing unchecked user input into SQL statements is a recipe for DISASTER.

You should be rewriting the code as....

$form_firstname = mysql_real_escape_string($_POST['form_firstname'], $db_handle);
$id = mysql_real_escape_string($_POST['id'], $db_handle);
$qry="UPDATE users SET FirstName='$form_firstname'WHERE UserID='$id'";

C.

406

Answer

Solution:

i hope you don't use that for something serious. That code is open to all kinds of intrusions, injections and hacks. I have two answers for you. Quick & dirty: turn register_globals on. Alternative: find someone to rewrite your app from scratch or find a better one.

875

Answer

Solution:

I think you need set resister_global=on in php.ini

People are also looking for solutions to the problem: php - Parent - Child relationship within a single table

Source

Didn't find the answer?

Our community is visited by hundreds of web development professionals every day. Ask your question and get a quick answer for free.

Ask a Question

Write quick answer

Do you know the answer to this question? Write a quick response to it. With your help, we will make our community stronger.

Similar questions

Find the answer in similar questions on our website.