acegames Posted August 19, 2008 Share Posted August 19, 2008 Hello , I am trying to run a script with REGISTER_GLOBALS off and need help with this line of code if anyone could help please if ($upload="upload"&&$superdat_name){ Im trying to change it to something like this but its wrong if (isset($_REQUEST['upload']="upload"&&$superdat_name){ Quote Link to comment https://forums.phpfreaks.com/topic/120406-changes-to-script-for-register_globalsoff/ Share on other sites More sharing options...
wildteen88 Posted August 19, 2008 Share Posted August 19, 2008 if (isset($_REQUEST['upload']="upload"&&$superdat_name){ should be if (isset($_POST['upload']) && $_POST['upload'] == "upload" && isset($_POST['superdat_name'])){ Try to avoid using $_REQUEST, as this variables includes _POST, _GET and _COOKIE data at the same time. You should instead use either $_POST, $_GET or $_COOKIE variables. Quote Link to comment https://forums.phpfreaks.com/topic/120406-changes-to-script-for-register_globalsoff/#findComment-620381 Share on other sites More sharing options...
acegames Posted August 19, 2008 Author Share Posted August 19, 2008 Thankyou for your swift reply , i thought that line would fix my script but has not , I have worked all day on it and still not got it working and must ask again for help to point me in the right direction please All Im wanting to do is get this script working with REGISTER_GLOBALS off and really do appreciate the time and help anybody can spare me <!DOCTYPE html PUBLIC "-//WAPFORUM//DTD XHTML Mobile 1.0//EN" "http://www.wapforum.org/DTD/xhtml-mobile10.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <meta http-equiv="Cache-Control" content="no-cache, must-revalidate" /> <link rel="stylesheet" href="style1.css" type="text/css" /> <title>Members Photos</title> </head> <body> <div class="house-text-center">Members Photos</div> <div class="house-text-center"></div> <div class="link"><img src="./images/bullet_right.gif" alt="" width="8" height="8"/><a href="index.php"> Browse All Photos</a></div> <div class="house-label-center">Upload Your Photo</div> <div class="house-text-center"> <?php // ORIGINAL LINE OF CODE // if ($upload="upload"&&$superdat_name){ if (isset($_POST['upload']) && $_POST['upload'] == "upload" && isset($_POST['superdat_name'])){ if (!eregi("\.(gif|bmp|jpeg|jpg)$",$superdat_name)){ print "<b>Unsuported File extention!!!</b>"; }else{ $superdat_name = preg_replace( '/[^a-zA-Z0-9\.\$\%\'\`\-\@\{\}\~\!\#\(\)\&\_\^]/' ,'',str_replace(array(' ','%20'),array('_','_'),$superdat_name)); if(strlen($superdat_name)>53){ print "<b>File Name to long!!!</b>"; }else{ if (empty($superdat)) { print "<b>No input file specified!!!</b>"; }else{ copy("$superdat", "uploads/$superdat_name") or die("Couldn't copy file."); $date=(date("H:i - j/n")); $fsize=round($superdat_size/1024,1); $size = $fsize." KB"; $ip = getenv("REMOTE_ADDR"); $useragent = getenv("HTTP_USER_AGENT"); include "init_vars.inc"; mysql_connect($mysqlserver,$username,$password); @mysql_select_db($database) or die( "Unable to select database"); $query = "INSERT INTO membersphotos (id, approved, filename, name, size, datetime, ip, useragent) VALUES ('', '0', '$superdat_name', '$superdat_name', '$size', '$date', '$ip', '$useragent')"; $result = mysql_query($query); if (!$result) { print "SQL error: " .mysql_error(); } mysql_close(); echo "<b>$superdat_name</b> Has been uploaded it wont be displayed untill approved"; } } } } ?> <FORM ACTION="upload.php" METHOD="POST" ENCTYPE="multipart/form-data"> <br/><br/><b>Photo :</b><br/> <input type="file" name="superdat"/><br/> <input type="hidden" name="upload" value="upload"/><br/> <INPUT TYPE="SUBMIT" NAME="submit" VALUE="Upload File"/><br/> RENAME FILES FIRST You can upload Photos with folowing extentions:<br/> *.jpg *.gif *.bmp <br/> <br/> </FORM> </div> <div class="link"><img src="./images/bullet_right.gif" alt="" width="8" height="8"/><a href="./">Members Photos Main</a></div> <div class="house-text-center"> Members Photos </div> </body> </html> Quote Link to comment https://forums.phpfreaks.com/topic/120406-changes-to-script-for-register_globalsoff/#findComment-620393 Share on other sites More sharing options...
wildteen88 Posted August 19, 2008 Share Posted August 19, 2008 Um, your code will need to be mostly rewritten. You wont fix it by changing a single line, this is the problem with scripts which rely on register_globals. Quote Link to comment https://forums.phpfreaks.com/topic/120406-changes-to-script-for-register_globalsoff/#findComment-620423 Share on other sites More sharing options...
acegames Posted August 19, 2008 Author Share Posted August 19, 2008 Thankyou , I might have to start from sratch or hire someone to fix it for me Quote Link to comment https://forums.phpfreaks.com/topic/120406-changes-to-script-for-register_globalsoff/#findComment-620431 Share on other sites More sharing options...
nitation Posted August 20, 2008 Share Posted August 20, 2008 include this piece of code at the start of the page; <?php @extract($_GET); @extract($_POST); @extract($_SESSION); ?> Hope this helps. Regards... Quote Link to comment https://forums.phpfreaks.com/topic/120406-changes-to-script-for-register_globalsoff/#findComment-621086 Share on other sites More sharing options...
kenrbnsn Posted August 20, 2008 Share Posted August 20, 2008 Using extract() in that manner is as bad as having register globals turned on. Ken Quote Link to comment https://forums.phpfreaks.com/topic/120406-changes-to-script-for-register_globalsoff/#findComment-621091 Share on other sites More sharing options...
nitation Posted August 20, 2008 Share Posted August 20, 2008 @ken I only wrote him that code for temporary usage. Sorry i didn't say it risk. Let me ask you Ken, explain in a sentence what basic risk do one face in using such code. regards Quote Link to comment https://forums.phpfreaks.com/topic/120406-changes-to-script-for-register_globalsoff/#findComment-621093 Share on other sites More sharing options...
kenrbnsn Posted August 20, 2008 Share Posted August 20, 2008 In your code, assume you're expecting a variable to come in via the URL, i.e. $_GET, but if someone invokes your code and populates the $_POST array with an identical variable which has a hack attempt in it, using the extract() in that manner will cause the good value from the $_GET array to be overwritten with the bad value from the $_POST array and you won't know about it. Ken Quote Link to comment https://forums.phpfreaks.com/topic/120406-changes-to-script-for-register_globalsoff/#findComment-621115 Share on other sites More sharing options...
nitation Posted August 20, 2008 Share Posted August 20, 2008 @ken kindly provide a sample code of what u talking about. Regards Quote Link to comment https://forums.phpfreaks.com/topic/120406-changes-to-script-for-register_globalsoff/#findComment-621537 Share on other sites More sharing options...
acegames Posted August 21, 2008 Author Share Posted August 21, 2008 @ken kindly provide a sample code of what u talking about. Regards The script im using is posted above , thanks Quote Link to comment https://forums.phpfreaks.com/topic/120406-changes-to-script-for-register_globalsoff/#findComment-621885 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.