register globals

[brown2005]

if(!isset($page))$page="home";

switch($page)
{

case "home":$file="files/home.php";
break;

case "test":$file="files/test.php";
break;

}

 

i have this code for changing pages, and i asked in a previous post about why it would work in one site and not in another, and i was told to switch on register globals, which i have seen a few times, as should be off, but how would i get around the above code, if i have them off

[revraz]

Where do you set the $page variable?  Is it from a URL or from a FORM POST?

[brown2005]

if i understand correctly.

 

index.php?page=whateverpage here

 

and this is the page i want to load.

[kenrbnsn]

Never turn on register globals

 

To make your code work, you need to use the correct superglobal array, in this case $_GET

<?php
$page = (isset($_GET['page']))?$_GET['page']:'home';

switch($page) {
   case "home":
      $file="files/home.php";
      break;
   case "test":
      $file="files/test.php";
      break;
}
?>

 

Ken

[PFMaBiSmAd]

i was told to switch on register globals

 

I hope that was not on this forum!

[brown2005]

i was told to switch on register globals

 

I hope that was not on this forum!

 

no, i mean i wasnt told to turn them on.. i was told

 

Probably the fact the one has register globals off (recommended) and one has them on (frowned upon).

 

but i turned them on. which i now know was a no no.

[killah]

What's wrong with register global's on if i may ask?

[revraz]

Easy to inject your own variables as a hacker.

[premiso]

but i turned them on. which i now know was a no no.

 

Turn them off and fix your code to work properly. It is a security risk having them on and they will soon be left out (I think PHP6 you can no longer turn them on/off). Read up on them at http://www.php.net/register_globals

 

Basically instead of accessing the variable with just $varname it would be $_GET['varname']. It is a very basic and easy change/fix to any code, just some people are to lazy to take the hour or so it may take to fix their variable declarations.

 

EDIT:

Security risk, potentially anyone can gain authenticated access to a site if the site is not coded properly by declaring variables. For example $_SESSION['loggedin'] is what a bunch of people use. If they just access this by $loggedin I just pass page.php?loggedin=true  and wham I am authenticated.  (Given that they did not code for this which if register_globals is on the chances are high.)

[PFMaBiSmAd]

That's not a statement that is telling you to turn them on.

 

Why do I hope it was not on this forum, because register_globals was the worst security hole that was intentionally and deliberately added to a programming language.