Reputation: 39
PHP deprecated code?
HI all
Running PHP Version 5.2.11 and we've been given a site which we're told was running on an earlier version (4 possibly).
We've an odd problem where several pages which have a bunch of forms which update the MySql are not working. The problem is where the variables used in the update script are not being defined anywhere in the php before hand. eg.
UPDATE users SET FirstName='$form_firstname'WHERE UserID='$id'"
Now if we change it to..
$form_firstname = $_POST['form_firstname'];
UPDATE users SET FirstName='$form_firstname'WHERE UserID='$id'"
then the update works. We could do this for every single variable defined in every update statement but I'm thinking that seen as this must have worked previously we're looking at some deprecated code somewhere that forms these variables. I've looked for any
import_request_variables
statements but nada.
Can anyone think of anything that would be turned off by default in a new server that would cause this or does this variable have to be declared somewhere?
Cheers muchly
Upvotes: 2
Views: 786
Answers (4)
Reputation: 48357
As stated elsewhere, its because the original code was register_globals enabled - which is very bad practice.
As a quick hack you could add some code at the top of each page (in global scope):
extract($_GET); extract($_POST);
...which has much the same effect but on a script-by-script basis. But ONLY to keep the site running while you re-implement the code properly. Note that this is not the only problem with the code - splicing unchecked user input into SQL statements is a recipe for DISASTER.
You should be rewriting the code as....
$form_firstname = mysql_real_escape_string($_POST['form_firstname'], $db_handle);
$id = mysql_real_escape_string($_POST['id'], $db_handle);
$qry="UPDATE users SET FirstName='$form_firstname'WHERE UserID='$id'";
C.
Upvotes: 1
Reputation: 53940
i hope you don't use that for something serious. That code is open to all kinds of intrusions, injections and hacks. I have two answers for you. Quick & dirty: turn register_globals on. Alternative: find someone to rewrite your app from scratch or find a better one.
Upvotes: 0
Reputation: 798676
This is register_globals. DO NOT use this; it is a gaping security hole.
Upvotes: 8
Related Questions
- What does PHP do with deprecated functions?
- How to deprecate a function in PHP?
- Deprecated functions in PHP 5.6
- If something is deprecated in php 5.3.10, can it be made to work anyway?
- Function in PHP deprecated, what should I use now?
- PHP code causing "deprecated" error in PHP 5.3
- Deprecated functions and methods in php update
- How can I make the deprecated functions to work in PHP's latest version?
- Rewriting the deprecated code
- deprecated function's usage