[Novalug] php newbie

Keith Casey keith.casey@gmail.com
Wed Jan 17 00:37:39 EST 2007


On 1/17/07, Matt Good <matt@matt-good.net> wrote:
> > "http://www.restonshoreshim.net/tmpl.php?f=about.html" (tmpl.php is
> > attached) and the 'f' doesn't have a value. I am not sure if somehow a
> > configuration file 'got changed'

> Well, it's possible the behavior of PHP to automatically turn GET
> parameters to variables has been turned off.  I don't use PHP, but I've
> seen complaints of the security problems this behavior can cause, so I
> would not be surprised if there was a way to turn it off.  I believe
> that GET paramaters can also be access like $_GET['f'], but double-check

If I'm reading what you're doing correctly - running on little sleep
at the moment - it looks like the script was dependent on register
globals which is one of the banes of php'ers everywhere.  It can be
useful because then all your variables 'just have values!' but if you
forget to initialize stuff before using it... watch out.  So most
distros turn this off and as of a later release of php (5.1?), it has
been completely removed.

Grab it like Matt says... and please scrub your input - especially
when including files - you don't know where it's been.

kc

-- 
D. Keith Casey Jr.
CEO, CaseySoftware, LLC
http://CaseySoftware.com



More information about the Novalug mailing list