parameters in URL not readable

**Rik** · Oct 25 '06, 05:35 PM

Re: parameters in URL not readable

geoff.houdmont@ gmail.com wrote:

Hi,
>
I transfered one of my websites to another provider because I was
asked to do that.
The problem I have is it seems like the parameters after the ? are not
readable in the page.
Whereever I make an echo on that page there is nothing happening.
php 5.0.5 is on the server
>
Is there anyone who can help me?

Check register_global s, and print_r($_GET).
Are they there?
--
Rik Wasmus

**geoff.houdmont@gmail.com** · Oct 25 '06, 05:45 PM

Re: parameters in URL not readable

>
Check register_global s, and print_r($_GET).
Are they there?
--
Rik Wasmus

Yes it is there.

Geoff

**Rik** · Oct 25 '06, 05:45 PM

Re: parameters in URL not readable

geoff.houdmont@ gmail.com wrote:

>Check register_global s, and print_r($_GET).
>Are they there?

>
Yes it is there.

PHP: Manual Quick Reference

http://www.php.net/manual/en/security.registerglobals.php

PHP is a popular general-purpose scripting language that powers everything from your blog to the most popular websites in the world.

--
Rik Wasmus

**Geoff** · Oct 25 '06, 06:05 PM

Re: parameters in URL not readable

Rik wrote:

geoff.houdmont@ gmail.com wrote:

Check register_global s, and print_r($_GET).
Are they there?

Yes it is there.

>

PHP: Manual Quick Reference

http://www.php.net/manual/en/security.registerglobals.php

PHP is a popular general-purpose scripting language that powers everything from your blog to the most popular websites in the world.

--
Rik Wasmus

Is there a way to get a fast solution?
otherwise i have to change a lot.

**Rik** · Oct 25 '06, 06:05 PM

Re: parameters in URL not readable

Geoff wrote:

Rik wrote:

>geoff.houdmont@ gmail.com wrote:

>>>Check register_global s, and print_r($_GET).
>>>Are they there?
>>>
>>Yes it is there.

>>
>http://www.php.net/manual/en/securit...terglobals.php

>
Is there a way to get a fast solution?
otherwise i have to change a lot.

I urge you to fix this, but in the mean while:
extract($_GET);
--
Rik Wasmus

**Geoff** · Oct 25 '06, 06:15 PM

Re: parameters in URL not readable

>

I urge you to fix this, but in the mean while:
extract($_GET);
--
Rik Wasmus

What is the new way to do this?
I've read through the link you gave me but it isn't completely clear to
me.

Geoff

**Rik** · Oct 25 '06, 06:25 PM

Re: parameters in URL not readable

Geoff wrote:

>I urge you to fix this, but in the mean while:
>extract($_GET) ;

What is the new way to do this?
I've read through the link you gave me but it isn't completely clear
to me.

1. All variables from a GET request are in the $_GET-array. This will make
sure that they don't 'infect' used variables.
2. When using a $_GET variable, first make sure it's a type you expect.
(for instance:
$id = intval($_GET['id']);//make sure it's an integer
$name = preg_replace('/^[a-z0-9]/i','',$_GET['name']);//only
alphanumeric characters)
3. Use validated variables as you would like.

The main reason is that (sloppy) code with uninitialized variables can be
influenced with either GET or POST request resulting in unexpected and/or
undesireable results. Alwaus make sure you:
a: initiliaze all variables.
b: no outside variables are used for anything without a proper type-check
first.
--
Grtz,

Rik Wasmus

**Geoff** · Oct 25 '06, 07:45 PM

Re: parameters in URL not readable

Thank you

Rik wrote:

Geoff wrote:

I urge you to fix this, but in the mean while:
extract($_GET);

What is the new way to do this?
I've read through the link you gave me but it isn't completely clear
to me.

>
1. All variables from a GET request are in the $_GET-array. This will make
sure that they don't 'infect' used variables.
2. When using a $_GET variable, first make sure it's a type you expect.
(for instance:
$id = intval($_GET['id']);//make sure it's an integer
$name = preg_replace('/^[a-z0-9]/i','',$_GET['name']);//only
alphanumeric characters)
3. Use validated variables as you would like.
>
>
The main reason is that (sloppy) code with uninitialized variables can be
influenced with either GET or POST request resulting in unexpected and/or
undesireable results. Alwaus make sure you:
a: initiliaze all variables.
b: no outside variables are used for anything without a proper type-check
first.
--
Grtz,
>
Rik Wasmus

**Chuck Anderson** · Oct 25 '06, 07:45 PM

Re: parameters in URL not readable

Geoff wrote:

>I urge you to fix this, but in the mean while:
>extract($_GET) ;
>--
>Rik Wasmus
>>

>
What is the new way to do this?
I've read through the link you gave me but it isn't completely clear to
me.
>
Geoff
>
>

Quick and dirty:

Use a text editor to include a script at the very beginning of every php
file:

<?php
include 'extractor.php' ;
?>

Put this in extractor.php

<?php
if (is_array($_GET ))
{
foreach ($_GET as $xxkey =$xxvalue)
{
$$xxkey = $xxvalue;
}
}
?>

(Note: 'xx' is added to the var name to try and keep the var names
unique, otherwise, if you have passed a GET variable with the same name
($key or $value), it would be overwritten by the next iteration of the
foreach.)

This should get you working, but then I advise you to go back and add
some real injection prevention functions at the beginning of routines
that need them.

--
*************** **************
Chuck Anderson • Boulder, CO

Chuck Anderson's Cycle Tourist Home Page

http://www.CycleTourist.com

*************** **************

**Colin Fine** · Oct 29 '06, 05:35 PM

Re: parameters in URL not readable

Chuck Anderson wrote:

Geoff wrote:

>>I urge you to fix this, but in the mean while:
>>extract($_GET );
>>--
>>Rik Wasmus
>>>

>>
>What is the new way to do this?
>I've read through the link you gave me but it isn't completely clear to
>me.
>>
>Geoff
>>
>>

Quick and dirty:
>
Use a text editor to include a script at the very beginning of every php
file:
>
<?php
include 'extractor.php' ;
?>
>
Put this in extractor.php
>
<?php
if (is_array($_GET ))
{
foreach ($_GET as $xxkey =$xxvalue)
{
$$xxkey = $xxvalue;
}
}
?>
>
(Note: 'xx' is added to the var name to try and keep the var names
unique, otherwise, if you have passed a GET variable with the same name
($key or $value), it would be overwritten by the next iteration of the
foreach.)
>
This should get you working, but then I advise you to go back and add
some real injection prevention functions at the beginning of routines
that need them.
>

This looks to me like a clumsy way of emulating 'extract($_GET) ', as
suggested by Rik. Are you claiming some advantage to doing it this way?

Colin

parameters in URL not readable

parameters in URL not readable

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment