Possible PHP coding problem

[lisati]

I'm thinking that the $reports variable is created here:

Code:

      <form action="reports.php" method="post">
        <select name="report" onChange="this.form.submit()">
          <option value="">Choose Report</option>
          <option value="students">Students</option>
          <option value="employers">Employers</option>
          <option value="financial">Financial</option>
        </select>
      </form>

But, as my forum username indicates, I'm far from a php guru

Not quite. "reports.php" is the name of the script that gets run when the form is submitted.

[spjackson]

I'm thinking that the $reports variable is created here:

Code:

      <form action="reports.php" method="post">
        <select name="report" onChange="this.form.submit()">
          <option value="">Choose Report</option>
          <option value="students">Students</option>
          <option value="employers">Employers</option>
          <option value="financial">Financial</option>
        </select>
      </form>

But, as my forum username indicates, I'm far from a php guru

OK, so I think that basically to translate from ancient PHP to modern PHP, you need to add this to your other script.

Code:

  $report = $_POST['report'];

However, it is a bit more complicated than that because the script reposts to itself and it will need to repost this report data item - or it could be converted to a session variable. Needs more work and it's bedtime here

[arizonanoob]

THAT WAS IT!!!!!!!!!!!! WOOOOHOOOOO!

register_globals needed to be turned on.

Thank you, thank you, thank you, thank you, thank you, thank you, thank you, thank you, thank you, thank you.

[cryptotheslow]

Take a lot of care if you decide to update your PHP version.

What version are you running?

If I remember correctly register_globals was depracted in v.5.3 and removed entirely in v.5.4

Could be problematic if one of your web hosters decides to upgrade!

My memory is fallible but I'm fairly sure the above is correct, been while since I did php stuff in earnest though :/

[SeijiSensei]

No, enabling register_globals is the wrong approach. Not only is it insecure, but as cryptotheslow observes, it has been deprecated in the most recent PHP versions.

All the POST information is stored in the $_POST array (and also the $_REQUEST array which includes both GET and POST input). You can create a local $reports variable from $_POST['reports'], as spjackson observes. However any script that includes user-generated input, unless it is running in a closed environment like an intranet, needs to have that input validated. So, again, make sure you have something to handle values that don't match the ones you expect.

I've seen all sorts of things attached as values to exposed variables. The cardinal rule is not to trust user input.

[arizonanoob]

Understood - but until the client is ready to spend the money to have the code updated, I have to take what I can get... and this is a temporary fix.

[SeijiSensei]

Well, I'd make sure you activate register_globals only for this client. You can do this in .htaccess or in the <Directory> stanza for the client's virtual host by adding "php_flag register_globals on". I wouldn't turn it on globally via php.ini if you can avoid it.

[SteveHillier]

Well, I'd make sure you activate register_globals only for this client. You can do this in .htaccess or in the <Directory> stanza for the client's virtual host by adding "php_flag register_globals on". I wouldn't turn it on globally via php.ini if you can avoid it.

Echo this comment.
On our server we have some systems that rely on register variables being on (older shopping carts) and others that rely on register variables being off.
This has to be set by domain / client.
Ultimately you have to write your code to meet the current standards to avoid wholsale collapse of your site one day.