Ruddy Posted September 1, 2011 Share Posted September 1, 2011 Hey, Im new here (First post) and I need some help with variables. At the moment I have one main file where all variables have been defined and this page has been included in every page that has been made for the rest of the site. It defines them like this: $query="SELECT * FROM user WHERE name='$name'"; $result=mysql_query($query); $result=mysql_fetch_array($result); $name=$result["name"] $money=$result["money"]; But users are able to change variables using the URL e.g www.test.com/index.php?money=1000000. That would then say they have 1,000,000 money on that page but when they change the page it will go back to the amount that is in the database. I would like to stop this as its not good for the site and there has to be a better way to be doing this. I would like to learn about this so any help would be great. I would like it if someone could add me on skype or somthing like that to help me do this faster then posting on a forum. Thank you very much, Alex Quote Link to comment https://forums.phpfreaks.com/topic/246218-need-help-with-moving-variables/ Share on other sites More sharing options...
premiso Posted September 1, 2011 Share Posted September 1, 2011 If they can change it with a get variable, then something is wrong and my bet is that register_globals is turned on in the php.ini file, which is a huge security vulnerability. Changing that to off should fix it, but may also break your application. To fix it without doing that, initialize variables at the top of the script. IE: <?php $money = ""; $name = ""; /// your other code here $query="SELECT * FROM user WHERE name='$name'"; $result=mysql_query($query); $result=mysql_fetch_array($result); $name=$result["name"] $money=$result["money"]; Which should prevent the get variable from ever being used. If you need the name in a get variable change that line to this: $name = isset($_GET['name'])?mysql_real_esacpe_string($_GET['name']):''; But of course without seeing a bit more code, I am just working blindly. Quote Link to comment https://forums.phpfreaks.com/topic/246218-need-help-with-moving-variables/#findComment-1264503 Share on other sites More sharing options...
Ruddy Posted September 1, 2011 Author Share Posted September 1, 2011 Hey, thank you for a fast reply. I have checked and register_globals is OFF. So it cant be that, any other ideas? Also I cant put the file up here as it is a BIG file and I dont want people to see it as it is being used on a game at the moment. Thanks, Alex Quote Link to comment https://forums.phpfreaks.com/topic/246218-need-help-with-moving-variables/#findComment-1264516 Share on other sites More sharing options...
premiso Posted September 1, 2011 Share Posted September 1, 2011 I would post it as private to pastebin, then after you get it resolved remove the pastebin, as you should have access to do that (link the pastebin here). Quote Link to comment https://forums.phpfreaks.com/topic/246218-need-help-with-moving-variables/#findComment-1264521 Share on other sites More sharing options...
Ruddy Posted September 1, 2011 Author Share Posted September 1, 2011 To me it dont feel safe doing that and would rather not and I know this just makes it harder for you to help me but I cant see why anything else in this file would help. Its my config file for the whole game and thats the only bit that is causing a problem. But it goes somthing like this if this is any help. http://pastebin.com/qSmcAjaW Thanks again, Alex Quote Link to comment https://forums.phpfreaks.com/topic/246218-need-help-with-moving-variables/#findComment-1264532 Share on other sites More sharing options...
premiso Posted September 1, 2011 Share Posted September 1, 2011 You can delete it now. Where your issue is, is this part: foreach($_GET as $key=>$val) { $$key=$val; } foreach($_POST as $key=>$val) { $$key=$val; } That turns any POST/GET into a variable. This is just the same as register_globals. So yea, if you want to do this, put it at top, and any variables that you do not want to be able to be changed by this, make sure you intiialize that variable after that, to prevent hijacking. Quote Link to comment https://forums.phpfreaks.com/topic/246218-need-help-with-moving-variables/#findComment-1264557 Share on other sites More sharing options...
Ruddy Posted September 1, 2011 Author Share Posted September 1, 2011 Wow, duh? Thank you so much thats been getting on my nerves! Thank you very much indeed, Alex ------- Dam, i have just checked my site and it has a forum and now i cannot view the topics. The link is like this. <A HREF="forums.php?cat=<?PHP print $cat;?>&act=viewtopic&topic=<?PHP print $topic;?>"><B STYLE="font-size:18px;"><?PHP print $title; ?></B></A> Any help there? Quote Link to comment https://forums.phpfreaks.com/topic/246218-need-help-with-moving-variables/#findComment-1264561 Share on other sites More sharing options...
premiso Posted September 1, 2011 Share Posted September 1, 2011 If they are allowed via get variables: $cat = isset($_GET['cat'])?$_GET['cat']:''; Rinse and repeat for each time there, topic, title etc. Do that before you echo that line or somewhere near the top of the script. Quote Link to comment https://forums.phpfreaks.com/topic/246218-need-help-with-moving-variables/#findComment-1264565 Share on other sites More sharing options...
Ruddy Posted September 1, 2011 Author Share Posted September 1, 2011 That didnt seem to work. erm, dont know if this helps but the cats are done like this. Also any chance you could try and explain the problem a little to me? (So I can learn from it a little) if($_REQUEST["cat"]=="general") { $cat="general"; $catname="General Forums"; } else if($_REQUEST["cat"]=="news") { $cat="news"; $catname="News"; } Quote Link to comment https://forums.phpfreaks.com/topic/246218-need-help-with-moving-variables/#findComment-1264567 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.