PHP5 Breaks PHP4

[gilk]

Hi,

have looked thru archives and cant find any answers. Godaddy recently removed support for PHP4 and as a consequence, stuff that has been quietly working nicely has stopped under PHP5.3.

I am able to create a new student, but when I try to update the student details get error "couldn't execute query". Here is the relevant code...with the password xxxx'd out.

<?php

/*  Program name: upd_user_details.php

*  Description:  Script displays a form with address 

*                information obtained from the database.

*/



session_start();

//set session variables  for students id number

$_SESSION['studentid'] = "$studentid";

        $studentid = $_SESSION['studentid'];  //I think this might need to be set on each page where required??dunno!

          $_SESSION['f_name'] = "$f_name";

        $f_name = $_SESSION['f_name'];  //I think this might need to be set on each page where required??dunno!

         $_SESSION['l_name'] = "$l_name";

       $l_name = $_SESSION['l_name'];  //I think this might need to be set on each page where required??dunno!

       $_SESSION['email'] = "$email";

       $email = $_SESSION['email'];  //I think this might need to be set on each page where required??dunno!



  echo "<html>

        <head><title>Student Details</title></head>

        <body>";

  // create an array that contains the labels used in the form      

  // the keys are the field names.

  $labels = array( "f_name"=>"First  Name:",

                   "l_name"=>"Last Name (Surname/Family):",

                   "salutation"=>"Dr/Mr/Mrs/Ms:",

                   "gender"=>"Gender (m or f) :",

                   "birthdate"=>"Date of Birth (yyyy-mm-dd):",

                   "email"=>"Email Address:",

                   "address1"=>"Street Address 1:",

                   "address2"=>"Street Address 2:",

                   "address3"=>"City or Town:",

                   "state"=>"State:",

                   "zip"=>"Zipcode or Postcode:",

                   "country"=>"Country:",

                   "occupation" => "Occupation: ");

  $user="distanceed";

  $host="mysql39.secureserver.net";

  $password="XXXXXXXXXXXX";

  $database = "distanceed";





  $conn = mysql_connect($host,$user,$password)

       or die ("couldn't connect to server");

  $db = mysql_select_db($database,$conn)

       or die ("Couldn't select database");

  $query = "SELECT * FROM auth_users 

                     WHERE id = $studentid ";

  $result = mysql_query($query)

       or die ("Couldn't execute query.");

.........it is at this point that the error occurs...it seems to me that the problem is with the query where id = $studentid

 

It is about 5 years since I wrote this code and i have forgotten it so I will need to get up to speed again 

 

There are some other breaks and they are all associated with passing of student id number.

Be most pleased if anyone can advise me wht PHp5 has done to PHp4 code in regard to passing of this variable ( it is an autoincremented value from a mysql database.

thanks in anticiption

[Jessica]

Use code tags on the forum.

 

Wherever you have or die ("Couldn't execute query.");

replace it with

 

or die (mysql_error().' SQL: '.$query);

So you can see the error and query.

[gilk]

OK done that!  error now

ou have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 2 SQL: SELECT * FROM auth_users WHERE id =

 

also excuse my ignorance (newbie)  what do you mean by

" use code tags on the forum"

 

Now that you can see the new and enhanced error message can you pls advise where to go next.

Thanks

[ManiacDan]

When posting code, surround it in [ PHP ] and [/ PHP ] tags, without spaces inside the tags.  That's how you color your code and make it easier to read.

 

Your error message indicates that your query it malformed.  Then it prints the query.  As you can see, your query is missing the value for student ID.

 

That's because you never get the value for studentid from anywhere.  Your code initially uses it here:

 

   $_SESSION['studentid'] = "$studentid";

(This variable doesn't need to be quoted in this line)

 

You are relying on an old feature of PHP called register_globals.  I have bad news for you:  Every single one of your pages is probably broken.  Your code was assuming there was a key called 'studentid' in $_GET, $_POST, or $_COOKIE.  You have to figure out which one, and put this at the top of your file:

$studentid = $_POST['studentid'];

You then need to repeat this exercise with every single variable you use this way.  On every page, in every file. 

 

You upgraded your PHP install without knowing how it would work.  It's like upgrading your operating system.  Some of your apps will stop working.  In your case, you were doing something critically wrong and nobody told you until it was too late.  Good luck, you have a lot of changes ahead of you.

 

[gilk]

You upgraded your PHP install without knowing how it would work.

 

**it happens!...Godaddy upgraded me without my knowledge by removing support for PHP4.

Users of my system alerted me that the system was broken today.

The question now is what to do about it.

I have a perfectly good MYSQL database with lotsa good stuff in it.

Do I try and patch the old PHP4 code or should I go for a rewrite with PHP5. ( I have read that PHP6 is around the corner...I dont want this repeated when PHP5 is ditched!!!)

As far as I can see, the only problem is with the studentid variable not getting passed around like it used to.

Your wisdom would be appreciated.

thank you

 

[Jessica]

ManiacDan explained to you why that's not the only problem. It will happen elsewhere. He also explained how to fix it.

[Barand]

Register_globals was switched to "off" as the default ini file setting in PHP installations ten years ago (2002), so don't blame GoDaddy too much (except for waiting so long) - there have been warnings in the PHP manual and elsewhere for many years.

 

PS NOT recommended, as it still presents the same security risk as using register_globals, but if you need a quick fix while you rewrite your pages, add

 

extract ($_POST); 

 

to the top of each script (or $_GET if that is the method used)

[gilk]

so don't blame GoDaddy too much

Not blaming anyone.

Just wanting the quickest, best, cost effective FIX.

Hopefully that will outlast the next PHPx arrival.

I thank all for their comments.

Will also accept any further comments that might help.

Unfortunately I am about 12000 miles from my office and wont be back till October.

I can manually service my clients during this period.

I do need to implement a fix when I get back to my office.

Gives me about 35 days to get my head up to speed :'(

Maybe I should employ a PHP pro????

Thoughts?

 

 

[Barand]

see my edit to my post

[gilk]

Thank you Barand.

Just the sort of practical advice I was looking for.

[scootstah]

I have read that PHP6 is around the corner...I dont want this repeated when PHP5 is ditched

 

PHP6 was scrapped and most of the features were rolled into PHP5.4.

 

PHP5 will be supported for many years to come.

[gilk]

Phew!

not all bad then!

[ManiacDan]

Barand's solution was very dangerous and not recommended (as he noted in his post).  While it gets your site working today, your site still has security problems that are more than a decade old.  You should rewrite this with modern best practices, in PHP 5.4.

[Barand]

There's still some bad news. If you are using mysql start moving over to mysqli as mysql support will disappear soon

[PFMaBiSmAd]

I recommend a rewrite as well.

 

The posted code is apparently processing a form submission. However, it has no logic to test if a form was even submitted; it is not validating any of the submitted data (the code shouldn't even get to the point of executing the query when the $studentid is empty); and it is not doing anything to prevent sql injection/query errors due to unexpected/hacked data values.