Jump to content

Register_globals and mySQL Database


genesysmedia

Recommended Posts

I developed several php scripts that insert and retrieve data to a mySQL database.  In my php.ini file register_globals were set to on.  I am now trying to tighten up my security and have set the php.ini file to set register_globals=off.  With register_globals off, my scripts will not put data into or retrieve from the mySQL database.  If I set register_globals=on they work just fine.  I would like to set register_globals=off so does anyone know what I can do to make my scripts work with it set to off?

 

Thanks in advance.

Link to comment
https://forums.phpfreaks.com/topic/165851-register_globals-and-mysql-database/
Share on other sites

When register_globals are on, program variables $some_name are populated from the same named $_POST, $_GET, $_COOKIE, $_SESSION, $_SERVER, $_ENV, and $_FILES variables.

 

You must go through your code and use the correct $_xxxx variable to populate any program variables by the same name or use the $_xxxx variables directly. If you are using session_register(), session_is_registered(), or session_unregister(), you must go though and convert the code to use the $_SESSION variables.

 

Edit: Debugging your code on a system with error_reporting set to E_ALL and display_errors set to ON will help you find some of the program variables in question. They will show us as being undefined.

Thanks you...I think that is what I expected....could you give an example of what you are talking about?

 

Here is some code to retrieve from the db...how should I change it?

 

 

$dbh = mysql_connect("localhost", "{db_user}", "{password}") or die ('I cannot connect to the database.');

mysql_select_db("{db}");

 

$sql = "SELECT * FROM jobs WHERE category = '".$category."' AND state = '".$state."' AND status = 'approved'";

 

$result = mysql_query($sql, $dbh);

while ($newArray = mysql_fetch_array($result)) {

 

$id = $newArray['id'];

$business_name = $newArray['business_name'];

$contact_name = $newArray['contact_name'];

I'll guess that $category and $state are from a method="post" form?

 

At some point in your code, you will need to use $_POST['category'] and $_POST['state'] to access the actual values from the form.

 

I've also got to ask, are you using mysql_real_escape_string() on all the external string data that is being entered into a query to prevent sql injection?

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.