Web Analytics Made Easy -
StatCounter register_globals off makes my update script not working - CodingForum

Announcement

Collapse
No announcement yet.

register_globals off makes my update script not working

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • register_globals off makes my update script not working

    After turning off register_globals, my update script is not working anymore. Little help please.

    Do I have to do all the strings all again in the proccess.php

    Get the information here in this script. update.php
    PHP Code:
    <?php

    // like i said, we must never forget to start the session
    session_start();

    // is the one accessing this page logged in or not?
    if (!isset($_SESSION['db_is_logged_in']) 
        || 
    $_SESSION['db_is_logged_in'] !== true) {

        
    // not logged in, move to login page
        
    header('Location: login.php');
        exit;
    }


    include (
    'connect.php');

    $artist_id=$_GET['artist_id'];


    $query=" SELECT * FROM artist WHERE artist_id='$artist_id'";
    $result=mysql_query($query);
    $num=mysql_numrows($result);

    $i=0;
    while (
    $i $num) {
    $artist_name=mysql_result($result,$i,"artist_name");
    $english_name=mysql_result($result,$i,"english_name");
    $gender=mysql_result($result,$i,"gender");
    $region=mysql_result($result,$i,"region");
    ?>

    <html>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
    <form action="artist-update2.php" method="post">
    <input type="hidden" name="artist_id" value="<? echo $artist_id?>">
    Artist Name: <input type="text" name="artist_name" value="<? echo $artist_name?>"><br>
    English Name: <input type="text" name="english_name" value="<? echo $english_name?>"><br>
    Gender: <input type="text" name="gender" value="<? echo $gender?>"> male=ma, female=fe, group=gr<br>
    Region: <input type="text" name="region" value="<? echo $region?>"> china=cn, hong kong=hk, taiwan=tw, japan=jp, korean=kr, us&uk=us-uk<br>
    <input type="Submit" value="Update">
    </form>
    </html>

    <?
    ++$i;
    }
    ?>
    proccess the information. proccess.php
    PHP Code:
    <?

    // like i said, we must never forget to start the session
    session_start();

    // is the one accessing this page logged in or not?
    if (!isset($_SESSION['db_is_logged_in']) 
        || 
    $_SESSION['db_is_logged_in'] !== true) {

        
    // not logged in, move to login page
        
    header('Location: login.php');
        exit;
    }

    include (
    'connect.php');

    $artist_id=$_POST['artist_id'];

    $query="UPDATE artist SET artist_name='$artist_name',english_name='$english_name',gender='$gender',region='$region' WHERE artist_id='$artist_id'";
    mysql_query($query);
    echo 
    "Record Updated";
    mysql_close();
    ?>
    Last edited by bbmak; Jul 30, 2005, 05:33 AM.

  • #2
    import_request_variables or extract might do the trick.
    CATdude about IE6: "All your box-model are belong to us"

    Comment


    • #3
      can you give me more information because i never encounter this problem before.

      Originally posted by mrruben5
      import_request_variables or extract might do the trick.

      Comment


      • #4
        http://php.net/extract
        http://php.net/import_request_variables

        NUFF SAID
        CATdude about IE6: "All your box-model are belong to us"

        Comment


        • #5
          i use this, but how do i call out the gpc ???

          include ('connect.php');
          $artist_id=$_POST['artist_id'];

          import_request_variables("gPc", "rvar_");
          $query="UPDATE artist SET artist_name='$artist_name',english_name='$english_name',gender='$gender',region='$region' WHERE artist_id='$artist_id'";
          mysql_query($query);
          echo "Record Updated";
          mysql_close();
          ?>

          Originally posted by mrruben5

          Comment


          • #6
            Bah, the extraction process is not worth it in my opinion. The time it takes to make it secure compared to the actual fix is too time consuming.
            Change this:
            PHP Code:
            $artist_id=$_POST['artist_id']; 
            // Add this now:
            $artist_name mysql_real_escape_string($_POST['artist_name']);
            $english_name mysql_real_escape_string($_POST['english_nam']);
            $gender mysql_real_escape_string($_POST['gender']);
            $region mysql_real_escape_string($_POST['gender']);
            // Remember, always clean incomming data 
            Piece of mind, and easy to manage. Sure, it take an extra few lines over the extraction method, but it is safe to use, and to create the same using an extract() funtion would take just as long.
            BTW, I posted in your other thread how to turn the globals off using php code. If you want, I can show you how to turn on globals using php script as well. The difference being, you can control what you would like to be global, and what is to remain in a superglobal.
            Rule of thumb though, code with superglobals in mind.

            May I suggest as well, for your gender and region fields, you could change them to a select box instead. Save your users the work of typing in something so simplistic.
            Last edited by Fou-Lu; Jul 30, 2005, 05:08 PM.
            PHP Code:
            header('HTTP/1.1 420 Enhance Your Calm'); 
            Been gone for a few months, and haven't programmed in that long of a time. Meh, I'll wing it ;)

            Comment


            • #7
              i got it, now i use import_request_variables("gPc", "rvar_");
              but i have problem to put that in my search engine. Could anybody help?


              PHP Code:
              <?php


              // like i said, we must never forget to start the session
              session_start();

              // is the one accessing this page logged in or not?
              if (!isset($_SESSION['db_is_logged_in']) 
                  || 
              $_SESSION['db_is_logged_in'] !== true) {

                  
              // not logged in, move to login page
                  
              header('Location: login.php');
                  exit;
              }

              include (
              'connect.php');

              $keywords explode(" "$search);


              $query "SELECT * FROM artist LEFT OUTER JOIN lyric on (artist.artist_id = lyric.artist_id) WHERE artist_name LIKE '%".$keywords['0']."%' OR song_title LIKE '%".$keywords['0']."%' OR english_name LIKE '%".$keywords['0']."%' OR lyric LIKE '%".$keywords['0']."%' "

              for (
              $i=1$i<count($keywords); $i++) { 

              $query $query." AND artist_name LIKE '%".$keywords[$i]."%' OR english_name LIKE '%".$keywords[$i]."%' OR song_title LIKE '%".$keywords[$i]."%'"
              }

              $query $query." ORDER by english_name ASC"

              $result mysql_query($query) or die(mysql_error());
               
              ?>

              <html>
              <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
              <form method="GET" action="<? $PHP_SELF ?>">
              <b>Search:</b> <input type="text" name="search" size="20" />
              <input type="submit" value="Search!">
              </form>

              <?php

              while($row mysql_fetch_array($result))
              {
              $artist_id $row[artist_id];
              $artist_name $row[artist_name];
              $english_name $row[english_name];
              $song_title $row[song_title];
              $lyric_id $row[lyric_id];
              $lyric $row[lyric];


              echo 
              "<a href=\"show.php?artist_id=$artist_id\"><b>$artist_name  $english_name</b></a>(<a href=\"artist-update.php?artist_id={$row['artist_id']}\">Edit Artist</a> - <a href=\"artist-delete.php?artist_id={$row['artist_id']}\">Delete Artist</a>)(<a href=\"lyric-add1.php?artist_id={$row['artist_id']}\">Add lyric</a>) - <a href=\"lyric.php?lyric_id=$lyric_id\">$song_title</a> (<a href=\"lyric-update.php?lyric_id={$row['lyric_id']}\">Edit Lyric</a> - <a href=\"lyric-delete.php?lyric_id={$row['lyric_id']}\">Delete Lyric</a>)<br>";

              }

              ?>

              </html>

              Comment


              • #8
                Globals are off yeah?
                You need to use $_POST['search'] to create it.
                However, I believe you will be wanting to use the IN SQL command instead of the LIKE. I'm not an sql wizard by any means, but my guess is you would need to create this as a string to search through it instead. The SQL guys can easily do that for you.
                Edit:
                sorry, so used to using $_POST for forms.
                Use either $_GET or $_REQUEST instead, as you are not using a post method.
                Last edited by Fou-Lu; Jul 31, 2005, 06:16 AM.
                PHP Code:
                header('HTTP/1.1 420 Enhance Your Calm'); 
                Been gone for a few months, and haven't programmed in that long of a time. Meh, I'll wing it ;)

                Comment


                • #9
                  i find another solution. I find a source code that emulates the register_globals = on

                  Originally posted by Fou-Lu
                  Globals are off yeah?
                  You need to use $_POST['search'] to create it.
                  However, I believe you will be wanting to use the IN SQL command instead of the LIKE. I'm not an sql wizard by any means, but my guess is you would need to create this as a string to search through it instead. The SQL guys can easily do that for you.
                  Edit:
                  sorry, so used to using $_POST for forms.
                  Use either $_GET or $_REQUEST instead, as you are not using a post method.

                  Comment


                  • #10
                    Originally posted by bbmak
                    i find another solution. I find a source code that emulates the register_globals = on
                    I strongly recommend that you do not use this. I can also provide for you the code that you needed to turn globals on/off, however you really should be scripting with superglobals in mind. It is a lot easier to refer to $name than $_POST['name'], but the security of this alone far outweighs the downside of adding one extra line. There are always alternatives, extract is a good example. If controlled correctly, it would be capable of creating the globals that you need. Remember, its all about the control.
                    As well, add error_reporting(E_ALL); to the top of your page. See those lines in your browser? Those are all the variables that you are leaving unsecure for someone to play with. Just make sure you turn off the error_reporting prior to upload.
                    Last edited by Fou-Lu; Aug 1, 2005, 12:15 AM.
                    PHP Code:
                    header('HTTP/1.1 420 Enhance Your Calm'); 
                    Been gone for a few months, and haven't programmed in that long of a time. Meh, I'll wing it ;)

                    Comment

                    Working...
                    X