Jump to content


Photo

PHP register_globals question


  • Please log in to reply
1 reply to this topic

#1 All4172

All4172
  • Members
  • PipPipPip
  • Advanced Member
  • 78 posts

Posted 28 September 2006 - 03:29 AM

I have a script that works on one server and not on the other.  I noticed the register_globals are on, on the server the works and off on the server that doesn't work.

In my code I posted below, what kind of changes do I have to make in order for it to be compat with register_globals being off?

<?

// Database settings 
DEFINE("SERVER", "local"); 
DEFINE("DATABASE", "mine"); 
DEFINE("USERNAME", "myname"); 
DEFINE("DBPASSWORD", "mypw"); 
 

// IP's you want to ban seperated by spaces 
DEFINE("DENYIPS", ""); 

// Administrator password for the admin interface, example: stats.php?a=vs&password=**** 
// If no password is given the admin interface will be available to anyone. 
DEFINE("ADMINPASSWORD", ""); 


$db = mysql_connect(SERVER, USERNAME, DBPASSWORD); 

function checkPageExits($page) { 
    $queryGetPages = "SELECT * FROM pagecounter"; 
    $resultGetPages = mysql_db_query(DATABASE, $queryGetPages) or die ("Query failed: error was ".mysql_error()); 
    while($row=mysql_fetch_array($resultGetPages)) { 
        if (stristr($row["page"], $page)) { 
            $r = true; 
        } 
    } 
    if ($r) { 
        return true; 
    } else { 
        return  false; 
    } 
} 

function createPageEntry($page) { 
    if (isset($page)) { 
        $queryGetPages = "INSERT INTO `pagecounter` (`pageID`, `page`, `visits`) VALUES ('', '$page', '1')"; 
        $resultGetPages = mysql_db_query(DATABASE, $queryGetPages) or die ("Query failed: error was ".mysql_error()); 
        return true; 
    } else { 
        return false; 
    } 
} 

function incrementVisits($page,$ip) { 
    $denyips = explode(" ", DENYIPS); 
    if (!in_array($ip, $denyips)) { 
        if (isset($page)) { 
            if (checkPageExits($page)) { 
                $queryIncrement = "UPDATE pagecounter SET visits = visits + 1 WHERE page='$page'"; 
                $resultIncrement = mysql_db_query(DATABASE, $queryIncrement) or die ("Query failed: error was ".mysql_error()); 
                return true; 
            } elseif(createPageEntry($page)) { 
                return true; 
            } else { 
                return false; 
            } 
        } else { 
            return false; 
        } 
    } else { 
        return false; 
    } 
} 

function viewStatus($self,$password) { 

if (authUser($password)) { 
$queryGetData = "SELECT * FROM pagecounter order by visits DESC LIMIT 5"; //set your own LIMIT by replacing the 5 
$resultGetData = mysql_db_query(DATABASE, $queryGetData) or die ("Query failed: error was ".mysql_error()); 





for($i=0;$row=mysql_fetch_array($resultGetData);$i++) { 
$fd= fread(fopen("$row[page]", "r"), 100000); 
if ($fd) 
{ 
$start= strpos($fd, "<title>"); 
$finish= strpos($fd, "</title>"); 
$length= $finish-$start; 
$code_grabbed=Substr($fd, $start, $length); 
$title=str_replace("<title>", "", $code_grabbed); 

} 

$i % 2 ? 0: $bgcolor = "#ffffff"; 
$o .=" &#8226;&nbsp;<a href=$row[page]>$title</a><BR>\n"; 
} 

if (mysql_num_rows($resultGetData) == "0") { 
return "There are no active counters.\n"; 
} else { 
return $o; 
} 
} else { 
$o .=" <form action=\"$self\" method=post>\n"; 
$o .=" Password:\n"; 
$o .=" <input name=\"password\" type=\"password\" /> \n"; 
$o .=" <input type=hidden name=a value=vs>\n"; 
$o .=" </form>\n"; 
return $o; 
} 
} 


function authUser($password) { 
    if ($password == ADMINPASSWORD) { 
        return true; 
    } elseif (ADMINPASSWORD == "") { 
        return true; 
    } else { 
        return false; 
    } 
} 

function resetCounter($pageID,$self,$password) { 
    $queryResetCounter = "UPDATE pagecounter SET visits = 0 WHERE pageID='$pageID'"; 
    $resultResetCounter = mysql_db_query(DATABASE, $queryResetCounter) or die ("Query failed: error was ".mysql_error()); 
    return viewStatus($self,$password); 
} 

function deleteCounter($pageID,$self,$password) { 
    $queryDeleteCounter = "DELETE FROM pagecounter WHERE pageID = '$pageID'"; 
    $resultDeleteCounter = mysql_db_query(DATABASE, $queryDeleteCounter) or die ("Query failed: error was ".mysql_error()); 
    return viewStatus($self,$password); 
} 

switch ($a) { 
default: 
header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");  
header ("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT"); 
header ("Cache-Control: no-cache, must-revalidate"); // HTTP/1.1 
header ("Pragma: no-cache"); // HTTP/1.0 
header ("Content-type: image/gif"); 
$im = @ImageCreate (30, 10) 
or die ("Cannot Initialize new GD image stream"); 
$white = ImageColorAllocate ($im, 255, 255, 255); 
$trans = imagecolortransparent($im,$white); 
ImagePng ($im); 
incrementVisits ($HTTP_REFERER,$REMOTE_ADDR); 
break; 
case "vs": 
print viewStatus($PHP_SELF,$password); 
break; 
case "rc": 
print resetCounter($pageID,$PHP_SELF,$password); 
break; 
case "dc": 
print deleteCounter($pageID,$PHP_SELF,$password); 
break; 
} 

mysql_close($db); 

?> 



#2 steveclondon

steveclondon
  • Members
  • PipPipPip
  • Advanced Member
  • 161 posts

Posted 28 September 2006 - 07:36 AM

any time a varible is passed through the url with globals on you can use this any where in your script. ie script url: index.php?user=1

you would then access this using $user eg. echo $user. If globals are off which they should be for security you would then need to use this $_GET['user'], eg at the top of you page you would do the following, $user=$_GET['user']. Now all references to $user below would work. It is the same with varibles from forms as well. These now need to be accessed by $_POST['your_varible_name_here'].

The best thing to do is to ensure that your test server has globals off and you have all errors and warnings being displayed (set in your php.ini file). Then run the script and read the errors. They should give you line numbers of varibles that are not set. See what they are and where did it get it from then make the changes.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users