invincible_virus Posted September 21, 2008 Share Posted September 21, 2008 Hi, I had developed a web-site using php 4. Now, I have upgraded to php 5. I have a form which is something like - <form name="formPG" method="post" action="search.php" style="margin: 0pt;" > <tr> <td colspan="2" align="left" valign="top"><select class=textboxes1 name="Budget"> <option selected value="1">Select</option> <option value="2">1000-2000</option> <option value="3">2000-3000</option> <option value="4">3000-4000</option> <option value="5">4000-5000</option> <option value="6">Above 5000</option> <option value="7">Negotiable</option> </select></td> </tr> </form> and a php file acting on this form submit, which reads the request params as - $Budget Now, my problem is that after upgrading to php 5, this variable is never read by th action file properly and its value is always 0. I tried to read through the backward incompatibility issues with php5, but could not find this one listed there. Do I need to change the whole code to be like - $_REQUEST['Budget'] Quote Link to comment Share on other sites More sharing options...
chronister Posted September 21, 2008 Share Posted September 21, 2008 The proper way to receive POST data from a form is this..... $field = $_POST['fieldName']; The reason you could simply use $fieldName is because register_globals was turned on by default. This is bad as it will accept most any post, get and request data and turn it into a variable automatically. Not good security. So now it is turned off, which is the way it should be. So for post data, use the above. For GET data, use $_GET['varName']; Nate Quote Link to comment Share on other sites More sharing options...
invincible_virus Posted September 21, 2008 Author Share Posted September 21, 2008 Thanks chronister. can you tell me, where is this configuration 'register_globals ' defined? Also, is there any security difference in using $_GET['varName']; and $_REQUEST['varName']; ? Quote Link to comment Share on other sites More sharing options...
JasonLewis Posted September 21, 2008 Share Posted September 21, 2008 The register_globals setting is located in your php.ini file. Just Ctrl+F to find it, make sure it's OFF! Quote Link to comment Share on other sites More sharing options...
chronister Posted September 21, 2008 Share Posted September 21, 2008 register_globals is defined in the php.ini file.... I don't suggest finding it and turning it on. Do the right thing and code the site properly and don't rely on unsecure methods from old versions. $_REQUEST contains: $_COOKIE, $_GET, and $_POST variables if you use $_REQUEST you have no guarantee that the data came from the post data, which leads to security holes in your script You can use $_REQUEST, but it can be problematic if you are expecting POST data with var name foo and a bad user messes with cURL and throws the post data in there and then injects some get data with the name foo as well. I am not sure which one $_REQUEST will settle on, but you can see where issues may arise. Best to use the method your expecting and forget $_REQUEST exists.... I am sure there are perfectly valid uses for it, but I have not needed it yet. Nate Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.