Help needed with php

software development

#1

Hello there!

My website does not work properly anymore. The variable values passed on the URL do not seem to be loaded in $GLOBALS.

I created these two simplified files to reproduce the problem: index.php and abc.php with the following contents:

index.php:

<?php print("index.php file: language =" . $GLOBALS['lang'] . "
"); ?> ABC file

abc.php

<?php print("abc.php file: language = " . $GLOBALS['lang'] . "
"); ?> Index file

When I click the link from index.php to abc.php I get this:
abc.php file: language =
So it seems that the value “en” passed for variable $lang is not stored in $GLOBALS.

I loaded these two files on a friends website with another web host and it works just fine.

Please let me know if you have any idea why is this happening.
Thank you


#2

[quote=“suselum, post:1, topic:54156”]
Hello there!

My website does not work properly anymore. The variable values passed on the URL do not seem to be loaded in $GLOBALS. [/quote]

You’ll need to improve your coding practices. You are relying on a feature that makes it easy to write insecure code and as a result is disabled by default and may be removed from PHP altogether.

You should be using $_GET or $_POST instead. Also check the data first against known values or format, ie:

// Keep someone from injecting malicious code into our page/database $lang = $_GET['lang']; if ($lang == 'English') { print "English"; } else if ($lang == 'Spanish') { print "Spanish"; } else { // someone submitted something we weren't expecting - could be bad! print "Error"; }


#3

Thank you for your kind reply. Although it does not fix the problem I am going to change the code based on your suggestion.

It is easy for someone to inject malicious code if the URL gives away the variable names and their valid values. For instance:
http://www.mywebsite.com/abc.php?lang=en&page=guestbook

Do you know how I can hide these?


#4

If you insist on using $GLOBALS, don’t expect your URL parameters to automatically show up there - that is lazy and insecure. But if you insist on using $GLOBALS, then you need to explicit define a variable and assign it a value.

[code]

<?php // define $lang and assign it the value of a URL parameter $lang = $_GET['lang']; ?> <?php print("index.php file: language =" . $GLOBALS['lang'] . "
"); ?>

ABC file

[/code]

[quote]It is easy for someone to inject malicious code if the URL gives away the variable names and their valid values. For instance:
http://www.mywebsite.com/abc.php?lang=en&page=guestbook

Do you know how I can hide these? [/quote]

Map the names and values using arrays.

$parameters[‘lang’] = ‘l’;
$parameters[‘page’] = ‘p’;

$lang = $_GET[$parameters[‘lang’]];
$page = $_GET[$parameters[‘page’]];

So now you have:

http://www.mywebsite.com/abc.php?l=en&p=guestbook

If you do the same with the values, you can reduce that to something like:

http://www.mywebsite.com/abc.php?l=0&p=4

And if you are creative, can use something silly:

http://www.mywebsite.com/abc.php?larry=first&paul=third


#5

thank you