|
|
Posted by Dave on 08/16/07 05:38
On 15 Aug, 22:02, Jerry Stuckle <jstuck...@attglobal.net> wrote:
> Dave wrote:
> > On 15 Aug, 13:21, Jerry Stuckle <jstuck...@attglobal.net> wrote:
> >> Dave wrote:
> >>> On 15 Aug, 11:35, Rik <luiheidsgoe...@hotmail.com> wrote:
> >>>> On Wed, 15 Aug 2007 12:26:42 +0200, Dave
> >>>> <david.greenh...@praybourne.co.uk> wrote:
> >>>>> On 15 Aug, 11:06, Rik <luiheidsgoe...@hotmail.com> wrote:
> >>>>>> On Wed, 15 Aug 2007 11:59:25 +0200, Dave
> >>>>>> <david.greenh...@praybourne.co.uk> wrote:
> >>>>>>> I have just set up a duplicate server running:
> >>>>>>> apache 2.54, mysql 5.04 and php 5.04
> >>>>>>> This is the same setup as as the server we are using now, apart from
> >>>>>>> the hardware inside. I have copied across the database and website,
> >>>>>>> with exact same permissions as the first server.
> >>>>>>> The problem is that part of the php code is executing but others
> >>>>>>> arent:
> >>>>>>> example:
> >>>>>>> ------------------------
> >>>>>>> <?php
> >>>>>>> die(mysql_error());
> >>>>>>> echo "Connected to MySQL<br />";
> >>>>>>> mysql_select_db("sales") or die(mysql_error());
> >>>>>>> echo "Connected to Database<br />";
> >>>>>>> $query = mysql_query("SELECT product_name FROM `code_tbl` WHERE `code`
> >>>>>>> ='P191")
> >>>>>> Shouldn't that be `code` = 'P191'" (notice the ending single quote).
> >>>>>>> or die(mysql_error());
> >>>>>>> But when i change it to:
> >>>>>>> -----------------
> >>>>>>> <?php
> >>>>>>> // Make the connection
> >>>>>>> mysql_connect("localhost", "user", "pass") or die(mysql_error());
> >>>>>>> echo "Connected to MySQL<br />";
> >>>>>>> mysql_select_db("sales") or die(mysql_error());
> >>>>>>> echo "Connected to Database<br />";
> >>>>>>> $query = mysql_query("SELECT product_name FROM `code_tbl` WHERE `code`
> >>>>>>> ='$code")
> >>>>>> Again, the missing ending single quote in the SQL statement. Where does
> >>>>>> $code com form BTW? You're not relying on register_globals are you? Not
> >>>>>> a
> >>>>>> good thing. So, use $code = mysql_real_escape_string($_GET['code']);
> >>>>>> first.
> >>>>>>> $result = mysql_fetch_array($query);
> >>>>>> var_dump($result);
> >>>>> The missing ' was a mistype in the post. I have tried adding the code
> >>>>> you suggested along with others.
> >>>>> 1. adding the line $code = mysql_real_escape_string($_GET['code']);
> >>>>> outputs absolutely nothing, not even "connected to database"
> >>>> Have you enabled display_errors? It should be done just after connecting
> >>>> to the database.
> >>>>> 2. Removing the single quotes around $code
> >>>> You shouldn't do that.
> >>>>> 3. Removing the last single quote from around $code (so becomes
> >>>>> '$code ) like mistype above.
> >>>> Shouldn't do that either.
> >>>>> 4. When single quotes are put back in and adding the line
> >>>>> var_dump($result);
> >>>>> outputs: array(2) { [0]=> string(0) "" ["product_name"]=> string(0)
> >>>>> "" }
> >>>>> 5. When manually adding the code P191 in to the php code instead of
> >>>>> $code, the ouput of var_dump is:
> >>>>> array(2) { [0]=> string(28) "Pulsar Classic Bomber
> >>>>> Jacket" ["product_name"]=> string(28) "Pulsar Classic Bomber Jacket" }
> >>>> Well, echo the query that gets send before actually using it, and examine
> >>>> where it differs.
> >>>> --
> >>>> Rik Wasmus- Hide quoted text -
> >>>> - Show quoted text -
> >>> Hi Rik,
> >>> I echoed the $code to the page, and it didnt show. However i have
> >>> noticed that on our internal server, register globals is on. So to
> >>> test, i turned it on our external server, and everything seems to
> >>> work.
> >>> So i guess when you asked before whether i was using register globals,
> >>> in actual fact, we was on our internal server, but i only looked at
> >>> the new server.
> >>> So now i found the problem, any pointers how to fix this, I am not too
> >>> clued up on register globals, although i am searching now...
> >>> thanks for the help
> >>> Dave.
> >> Rik wins again :-)
>
> >> Yes, there is a reason it's now off by default. It's a security
> >> exposure. You really need to change your code to not use it.
>
> >> --
> >> ==================
> >> Remove the "x" from my email address
> >> Jerry Stuckle
> >> JDS Computer Training Corp.
> >> jstuck...@attglobal.net
> >> ==================- Hide quoted text -
>
> >> - Show quoted text -
>
> > Hi again,
>
> > just a brief question, as I am unsure of the consequences.
>
> > The new webserver that has register_globals turned off, every page is
> > only accessible after logging in using cookies against the mysql
> > database.
>
> > This part seems to be working as normal, i have tried to access many
> > pages beneath this, and get redirected to the login page if not logged
> > in. It seems only after login, that passing variables across to other
> > pages is not working.
>
> > My question is, is it safe to turn globals on, for the period of time
> > while i am recoding all the pages to work with globals turned off, so
> > that our staff can use the database. I have approx, 100 pages to go
> > through, and am unsure how long this will take.
>
> > thanks
> > Dave.
>
> No, it's not safe, which is why it was turned off in the first place.
>
> However, since you seem to have been running with register_globals on
> before, it's no less safe than it was previously.
>
> Are you sure that is the problem? And BTW - sessions are much safer for
> login tracking than cookies. It's too easy to fudge up a cookie.
>
> --
> ==================
> Remove the "x" from my email address
> Jerry Stuckle
> JDS Computer Training Corp.
> jstuck...@attglobal.net
> ==================- Hide quoted text -
>
> - Show quoted text -
The other server it was running on is internal to the company, so only
people who are inside the company firewall have access. The new server
will be directly on the internet.
I am not positive that register_globals is the problem but it seems
likely as when i turned globals on to try it, everything worked as it
does on our internal server. Plus when some of the pages load, by
default it holds information from the database, but then using if
statements throughout depending on what they click, depends on which
if statement to run, and its these that are not working (presumably
because its not passing the variables across)
But I suppose, better to be safe than sorry. I shall keep it that way
until i have changed all the pages.
Thanks again for the advice
Dave.
Navigation:
[Reply to this message]
|