2

HI all

Running PHP Version 5.2.11 and we've been given a site which we're told was running on an earlier version (4 possibly).

We've an odd problem where several pages which have a bunch of forms which update the MySql are not working. The problem is where the variables used in the update script are not being defined anywhere in the php before hand. eg.

UPDATE users SET FirstName='$form_firstname'WHERE UserID='$id'"

Now if we change it to..

$form_firstname = $_POST['form_firstname'];
UPDATE users SET FirstName='$form_firstname'WHERE UserID='$id'"

then the update works. We could do this for every single variable defined in every update statement but I'm thinking that seen as this must have worked previously we're looking at some deprecated code somewhere that forms these variables. I've looked for any 

import_request_variables

statements but nada.

Can anyone think of anything that would be turned off by default in a new server that would cause this or does this variable have to be declared somewhere?

Cheers muchly

Improve this question
1
  • What domain did you say your site was on? evil grin Nah, seriously: This is the result of either a noob developer or a lazy developer or a developer squashed by ignorant managers. Probably a combo of all of em. Now you (or your client) is paying the price of old sloppyness. Commented Feb 19, 2010 at 12:39

4 Answers 4

Reset to default
8

This is register_globals. DO NOT use this; it is a gaping security hole.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

I adhere to this comment. Check it out: php.net/manual/en/security.globals.php
Ah gotcha, so we need to manually chuck the $_POST's in then?
@Stu, not only that, you need to 1) escape them; or 2) use prepared statements.
Yes, it is always best to access $_POST and $_GET explicitly.
1

As stated elsewhere, its because the original code was register_globals enabled - which is very bad practice.

As a quick hack you could add some code at the top of each page (in global scope):

extract($_GET); extract($_POST);

...which has much the same effect but on a script-by-script basis. But ONLY to keep the site running while you re-implement the code properly. Note that this is not the only problem with the code - splicing unchecked user input into SQL statements is a recipe for DISASTER.

You should be rewriting the code as....

$form_firstname = mysql_real_escape_string($_POST['form_firstname'], $db_handle);
$id = mysql_real_escape_string($_POST['id'], $db_handle);
$qry="UPDATE users SET FirstName='$form_firstname'WHERE UserID='$id'";

C.

Improve this answer

1 Comment

Cheers symcbean, yeah we noted the insertion risk on the code was just curious as to the register_globals issue. TBH looks like they need to get a lot of stuff redone. Thanks.
0

i hope you don't use that for something serious. That code is open to all kinds of intrusions, injections and hacks. I have two answers for you. Quick & dirty: turn register_globals on. Alternative: find someone to rewrite your app from scratch or find a better one.

Improve this answer

1 Comment

Nothing serious and we're escaping the requests. The code's stripped down for example only. Cheers though.
-2

I think you need set resister_global=on in php.ini

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.