$_POST['name'] or $name - why one works and the other dosnt?

  • barry
  • Graduate
  • Graduate
  • User avatar
  • Posts: 115
  • Loc: scotland

Post 3+ Months Ago

Hi all. I have recently had some spam issues with my server and i had the guys who maintain it for me fix it so i dont get spam.. this is not the issue now. I have written lots of forms for websites and in the php to process the forms i use $name for the name field etc..

The problem im now having is that

$name

is not being recognised as having any value and i am now having to use

$_POST['name']

instead. The problem is that I will have to go through the forms on the websites i have designed and replace every form fields posted variable with $_POST[' bla bla here'] (which will amount to around 2000 or more fields... )

can any one tell me what has been changed on my server to cause this to happen. The reason i want to know is so i can have them change it back as soon as possible!!
  • Anonymous
  • Bot
  • No Avatar
  • Posts: ?
  • Loc: Ozzuland
  • Status: Online

Post 3+ Months Ago

  • spork
  • Brewmaster
  • Silver Member
  • User avatar
  • Posts: 6251
  • Loc: Seattle, WA

Post 3+ Months Ago

The person went into your PHP configuration and turned off the `register_globals` flag.

All form data in PHP is stored in either the $_GET or $_POST arrays, depending on the form's submission method.

`register_globals` is a PHP directive that tells PHP to take all of the key/value pairs in those arrays and create global variables from them. Those global variables are what you have been using, and now that the directive is turned off, they are no longer being created.

Having said that, you do not want to turn `register_globals` back on. It is a huge security risk and leaves your pages vulnerable to data and script injections and all sorts of nasty things. That's why he turned it off, and (someone correct me if I'm wrong) the directive isn't even available in newer versions of PHP.

Yes, you'll need to go through your scripts and change things to use the $_POST array directly. You don't have to do it by hand though; the find/replace feature of any decent text editor will make things easier, or if you're comfortable with regular expressions you could whip up a script to do it for you.
  • joebert
  • Fart Bubbles
  • Genius
  • User avatar
  • Posts: 13502
  • Loc: Florida

Post 3+ Months Ago

register_globals is depreciated in PHP 5.3 which means it's being considered for removal in the next major release (PHP6) It is already disabled by defailt in PHP 4.2+

If you turn register_globals back on, then EVERY variable in your script can be overridden via GET or POST. Not just the GET/POST variables you're anticipating.

You can usually work around register globals being disabled with one line of code for each affected variable.

Since you were using "$name" in your script before, what you'll want to do now is as close to the beginning of your script as reasonably possible, assign the screened value of $_POST['name'] to $name.

Assuming your GET/POST variables are properly screened and the problem was a different variable being overridden due to register_globals, it can be done like this.

PHP Code: [ Select ]
$name = $_POST['name'];


I don't know what your deal was, but since you're here asking us instead of asking the person who "fixed" your website for you, it's probably a good idea to mention the following.

Any time you hire someone to close security holes for you, you need to make sure you stipulate in your agreement that their job is not to "close security holes", their job is to "leave the script working exactly as it was before, but without the security holes".
  • barry
  • Graduate
  • Graduate
  • User avatar
  • Posts: 115
  • Loc: scotland

Post 3+ Months Ago

thanks for your replys. I was having security issues with spoofing so i did have the admins change things but i dont knwo what. They have since change the register_globals back to (according to them) as was before the issue began.

suppose ill have to live with it !! BUGGER!
  • joebert
  • Fart Bubbles
  • Genius
  • User avatar
  • Posts: 13502
  • Loc: Florida

Post 3+ Months Ago

I'm guessing you don't realize that any time someone with nothing better to do reads this thread in the future and finds out that you code with register_globals enabled, they're going to pluck your website address from your profile and see if they can relay spam through your contact form.

Oh well. I guess as long as you don't have a portfolio available publicly that someone could go through and find say, nearly 200 websites likely to have security holes in them that they could relay spam through I suppose it can't end up being too bad.

I mean, it's not like your contact form would use a $to, $emailto, or similarly easy to guess variable to control who emails are sent to like 90% of the ready made contact form scripts out there or anything.

Good luck! :D
  • barry
  • Graduate
  • Graduate
  • User avatar
  • Posts: 115
  • Loc: scotland

Post 3+ Months Ago

joebert above your post i have told you it is not enabled?
  • spork
  • Brewmaster
  • Silver Member
  • User avatar
  • Posts: 6251
  • Loc: Seattle, WA

Post 3+ Months Ago

barry wrote:
thanks for your replys. I was having security issues with spoofing so i did have the admins change things but i dont knwo what. They have since change the register_globals back to (according to them) as was before the issue began.

That makes it sound like you had them turn it back on.

Post Information

  • Total Posts in this topic: 7 posts
  • Users browsing this forum: No registered users and 63 guests
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
 

© 1998-2014. Ozzu® is a registered trademark of Unmelted, LLC.