genesysmedia Posted July 13, 2009 Share Posted July 13, 2009 I developed several php scripts that insert and retrieve data to a mySQL database. In my php.ini file register_globals were set to on. I am now trying to tighten up my security and have set the php.ini file to set register_globals=off. With register_globals off, my scripts will not put data into or retrieve from the mySQL database. If I set register_globals=on they work just fine. I would like to set register_globals=off so does anyone know what I can do to make my scripts work with it set to off? Thanks in advance. Link to comment https://forums.phpfreaks.com/topic/165851-register_globals-and-mysql-database/ Share on other sites More sharing options...
PFMaBiSmAd Posted July 13, 2009 Share Posted July 13, 2009 When register_globals are on, program variables $some_name are populated from the same named $_POST, $_GET, $_COOKIE, $_SESSION, $_SERVER, $_ENV, and $_FILES variables. You must go through your code and use the correct $_xxxx variable to populate any program variables by the same name or use the $_xxxx variables directly. If you are using session_register(), session_is_registered(), or session_unregister(), you must go though and convert the code to use the $_SESSION variables. Edit: Debugging your code on a system with error_reporting set to E_ALL and display_errors set to ON will help you find some of the program variables in question. They will show us as being undefined. Link to comment https://forums.phpfreaks.com/topic/165851-register_globals-and-mysql-database/#findComment-874817 Share on other sites More sharing options...
genesysmedia Posted July 13, 2009 Author Share Posted July 13, 2009 Thanks you...I think that is what I expected....could you give an example of what you are talking about? Here is some code to retrieve from the db...how should I change it? $dbh = mysql_connect("localhost", "{db_user}", "{password}") or die ('I cannot connect to the database.'); mysql_select_db("{db}"); $sql = "SELECT * FROM jobs WHERE category = '".$category."' AND state = '".$state."' AND status = 'approved'"; $result = mysql_query($sql, $dbh); while ($newArray = mysql_fetch_array($result)) { $id = $newArray['id']; $business_name = $newArray['business_name']; $contact_name = $newArray['contact_name']; Link to comment https://forums.phpfreaks.com/topic/165851-register_globals-and-mysql-database/#findComment-874825 Share on other sites More sharing options...
PFMaBiSmAd Posted July 13, 2009 Share Posted July 13, 2009 I'll guess that $category and $state are from a method="post" form? At some point in your code, you will need to use $_POST['category'] and $_POST['state'] to access the actual values from the form. I've also got to ask, are you using mysql_real_escape_string() on all the external string data that is being entered into a query to prevent sql injection? Link to comment https://forums.phpfreaks.com/topic/165851-register_globals-and-mysql-database/#findComment-874878 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.