Posted by Jerry Stuckle on 08/15/07 21:02

Dave wrote:
> On 15 Aug, 13:21, Jerry Stuckle <jstuck...@attglobal.net> wrote:
>> Dave wrote:
>>> On 15 Aug, 11:35, Rik <luiheidsgoe...@hotmail.com> wrote:
>>>> On Wed, 15 Aug 2007 12:26:42 +0200, Dave
>>>> <david.greenh...@praybourne.co.uk> wrote:
>>>>> On 15 Aug, 11:06, Rik <luiheidsgoe...@hotmail.com> wrote:
>>>>>> On Wed, 15 Aug 2007 11:59:25 +0200, Dave
>>>>>> <david.greenh...@praybourne.co.uk> wrote:
>>>>>>> I have just set up a duplicate server running:
>>>>>>> apache 2.54, mysql 5.04 and php 5.04
>>>>>>> This is the same setup as as the server we are using now, apart from
>>>>>>> the hardware inside. I have copied across the database and website,
>>>>>>> with exact same permissions as the first server.
>>>>>>> The problem is that part of the php code is executing but others
>>>>>>> arent:
>>>>>>> example:
>>>>>>> ------------------------
>>>>>>> <?php
>>>>>>> die(mysql_error());
>>>>>>> echo "Connected to MySQL<br />";
>>>>>>> mysql_select_db("sales") or die(mysql_error());
>>>>>>> echo "Connected to Database<br />";
>>>>>>> $query = mysql_query("SELECT product_name FROM `code_tbl` WHERE `code`
>>>>>>> ='P191")
>>>>>> Shouldn't that be `code` = 'P191'" (notice the ending single quote).
>>>>>>> or die(mysql_error());
>>>>>>> But when i change it to:
>>>>>>> -----------------
>>>>>>> <?php
>>>>>>> // Make the connection
>>>>>>> mysql_connect("localhost", "user", "pass") or die(mysql_error());
>>>>>>> echo "Connected to MySQL<br />";
>>>>>>> mysql_select_db("sales") or die(mysql_error());
>>>>>>> echo "Connected to Database<br />";
>>>>>>> $query = mysql_query("SELECT product_name FROM `code_tbl` WHERE `code`
>>>>>>> ='$code")
>>>>>> Again, the missing ending single quote in the SQL statement. Where does
>>>>>> $code com form BTW? You're not relying on register_globals are you? Not
>>>>>> a
>>>>>> good thing. So, use $code = mysql_real_escape_string($_GET['code']);
>>>>>> first.
>>>>>>> $result = mysql_fetch_array($query);
>>>>>> var_dump($result);
>>>>> The missing ' was a mistype in the post. I have tried adding the code
>>>>> you suggested along with others.
>>>>> 1. adding the line $code = mysql_real_escape_string($_GET['code']);
>>>>> outputs absolutely nothing, not even "connected to database"
>>>> Have you enabled display_errors? It should be done just after connecting
>>>> to the database.
>>>>> 2. Removing the single quotes around $code
>>>> You shouldn't do that.
>>>>> 3. Removing the last single quote from around $code (so becomes
>>>>> '$code ) like mistype above.
>>>> Shouldn't do that either.
>>>>> 4. When single quotes are put back in and adding the line
>>>>> var_dump($result);
>>>>> outputs: array(2) { [0]=> string(0) "" ["product_name"]=> string(0)
>>>>> "" }
>>>>> 5. When manually adding the code P191 in to the php code instead of
>>>>> $code, the ouput of var_dump is:
>>>>> array(2) { [0]=> string(28) "Pulsar Classic Bomber
>>>>> Jacket" ["product_name"]=> string(28) "Pulsar Classic Bomber Jacket" }
>>>> Well, echo the query that gets send before actually using it, and examine
>>>> where it differs.
>>>> --
>>>> Rik Wasmus- Hide quoted text -
>>>> - Show quoted text -
>>> Hi Rik,
>>> I echoed the $code to the page, and it didnt show. However i have
>>> noticed that on our internal server, register globals is on. So to
>>> test, i turned it on our external server, and everything seems to
>>> work.
>>> So i guess when you asked before whether i was using register globals,
>>> in actual fact, we was on our internal server, but i only looked at
>>> the new server.
>>> So now i found the problem, any pointers how to fix this, I am not too
>>> clued up on register globals, although i am searching now...
>>> thanks for the help
>>> Dave.
>> Rik wins again :-)
>>
>> Yes, there is a reason it's now off by default. It's a security
>> exposure. You really need to change your code to not use it.
>>
>> --
>> ==================
>> Remove the "x" from my email address
>> Jerry Stuckle
>> JDS Computer Training Corp.
>> jstuck...@attglobal.net
>> ==================- Hide quoted text -
>>
>> - Show quoted text -
>
> Hi again,
>
> just a brief question, as I am unsure of the consequences.
>
> The new webserver that has register_globals turned off, every page is
> only accessible after logging in using cookies against the mysql
> database.
>
> This part seems to be working as normal, i have tried to access many
> pages beneath this, and get redirected to the login page if not logged
> in. It seems only after login, that passing variables across to other
> pages is not working.
>
> My question is, is it safe to turn globals on, for the period of time
> while i am recoding all the pages to work with globals turned off, so
> that our staff can use the database. I have approx, 100 pages to go
> through, and am unsure how long this will take.
>
> thanks
> Dave.
>

No, it's not safe, which is why it was turned off in the first place.

However, since you seem to have been running with register_globals on
before, it's no less safe than it was previously.

Are you sure that is the problem? And BTW - sessions are much safer for
login tracking than cookies. It's too easy to fudge up a cookie.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

[Back to original message]