php and url


#1

I have a question about using the ?string in my url with PHP. In my production site the ?string is working with passing an id number so I can query from it, but it is not working on my test machine. Do I need to set a value or enable something within the config file? My test machine is Windows and my production machine is Unix. Help!


#2

using the ? in a URL is to allow parameters to be passed (and subsequently assigned as variables) in the receiving page.

i.e.

http://phphelp.com/forums/posting.php?mode=quote&p=27440

This URL pases 2 parameters (separated by the & ) to the page of posting.php at http://phphelp.com in the directory of forums.

In the php page/script the variables of mode and p would get assigned the values of quote and 27440 respectively. This method of passing data is called the GET method.

Making this data available to scripts automatically has become somewhat of a problem as it’s a way to exploit a server. Commands could be passed in a variable to do malicious things. Thus with recent versions of PHP the default for a value called register_globals is set to OFF. (This is a GOOD thing). Thus to access the data you would need to use the “Super Global” array of $_GET[] to obtain the variable data. (more information is available at http://us3.php.net/variables.predefined ).

With that in mind you should probably ALWAYS code as if the register_globals is OFF. This way your code is portable across servers.

Anyway, using the URL example above you get the data as follows:

http://phphelp.com/forums/posting.php?m … te&p=27440

with register_globals ON you could get the data as follows:

[php]

<? echo "$mode "; //echoes out quote echo "$p "; //echoes out 27440 echo "$_GET['mode'] "; //echoes out quote echo "$_GET['p'] "; //echoes out 27440 ?>

[/php]

with register_globals OFF you could get the data as follows:

[php]

<? echo "$mode "; //echoes out NOTHING (or perhaps an error) echo "$p "; //echoes out NOTHING (or perhaps an error) echo "$_GET['mode'] "; //echoes out quote echo "$_GET['p'] "; //echoes out 27440 ?>

[/php]

I hope this helps clear it up.


#3
:D Thanks! That was my problem. I knew it was something that needed to be set within a config or ini file.

#4

Please also read the following security article about register_globals, as enabling it poses a serious security risk!


#5

Absolutely… You should try everything possible to run your code with register_globals OFF (in favor of the super globals).

The sad part is there are some (otherwise good) Packages that will only run if Register_globals is on.


#6

Indeed, but I’d say manually changing them into using superglobals is worth every drop of sweat in the end towards making your package/webpage/website more secure.

On a sidenote, wouldn’t those packages not work on versions of PHP that have the register_globals enabled by default? Otherwise … the creators of those packages KNEW that they were causing security holes.