Parameters in PHP

I have down-loaded several php scripts and am working my way through them
as part of my learning process. I have noticed situations like this:

mysql_query("DELETE FROM $table WHERE id=$id",$db);

where scripts have been called from another script/page with a parameter -
i.e. 'id' is a parameter that is not defined in the script before the
above line is called.

They don't work as they are but I can get the parameters by using
$_GET['id'] or sometimes $_POST['id'].

Is this a result of different versions of php (I am using v5) where
behaviour has changed or is it something else that is going completely
over my head because I am so new to this?

Many thanks.

--
Jeff Gaines Damerham Hampshire UK
It may be that your sole purpose in life is to serve as a warning to others.

Re: Parameters in PHP

"Jeff Gaines" wrote in
news:xn0fcsm06378v50002@news.individual.net:


> They don't work as they are but I can get the parameters by using
> $_GET['id'] or sometimes $_POST['id'].
>
> Is this a result of different versions of php (I am using v5) where
> behaviour has changed or is it something else that is going completely
> over my head because I am so new to this?


It's a change in the way PHP is set up; In PHP 3 (and possibly early
versions of 4?), "register_globals" was set to "on", which meant that you
didn't have to specify any variables before hand - they were created when
you asked for them.

Most PHP installations now have "register_globals" set to Off, and scripts
like the one you posted will be in trouble unless they're modified like
you've done above. That kind of script is understandable if written before
2002, but really is incredibly bad practice created done afterwards.


http://ca.php.net/register_globals

Re: Parameters in PHP

"Jeff Gaines" wrote in message
news:xn0fcsm06378v50002@news.individual.net...
>I have down-loaded several php scripts and am working my way through them
>as part of my learning process. I have noticed situations like this:
>
> mysql_query("DELETE FROM $table WHERE id=$id",$db);
>
> where scripts have been called from another script/page with a parameter -
> i.e. 'id' is a parameter that is not defined in the script before the
> above line is called.
>
> They don't work as they are but I can get the parameters by using
> $_GET['id'] or sometimes $_POST['id'].
>
> Is this a result of different versions of php (I am using v5) where
> behaviour has changed or is it something else that is going completely
> over my head because I am so new to this?
>
> Many thanks.

Yes, it is because you are so new to this.

The $id is a variable called $id and contains the value you want for the id.
How you get it can be from any of the ways that you set a value for a
variable in php. These include the get, post, or simply setting it to
something or calculating it from something. It is totally independent of
the mysql call (and has to have been set first).

The $db is the variable that contains the connection to the database
obtained from a mysql_connect or a mysql_pconnect call.

These are in php4 and, I assume, from the earliest versions of php (I was
not doing php at that time).

Look at www.w3schools.com for a good tutorial on php (and many other
things). Also, look at www.php.net for just about everything you need in
php.

Good luck and we are here to help you get off the ground.

Shelly

Re: Parameters in PHP

"Good Man" wrote in message
news:Xns99D27AEB45331sonicyouth@216.196.97.131...
> "Jeff Gaines" wrote in
> news:xn0fcsm06378v50002@news.individual.net:
>
>
>> They don't work as they are but I can get the parameters by using
>> $_GET['id'] or sometimes $_POST['id'].
>>
>> Is this a result of different versions of php (I am using v5) where
>> behaviour has changed or is it something else that is going completely
>> over my head because I am so new to this?
>
>
> It's a change in the way PHP is set up; In PHP 3 (and possibly early
> versions of 4?), "register_globals" was set to "on", which meant that you
> didn't have to specify any variables before hand - they were created when
> you asked for them.
>
> Most PHP installations now have "register_globals" set to Off, and scripts
> like the one you posted will be in trouble unless they're modified like
> you've done above. That kind of script is understandable if written
> before
> 2002, but really is incredibly bad practice created done afterwards.
>
>
> http://ca.php.net/register_globals

Good point! I didn't catch that when I tried to help him. I thought he had
confusion about the mysql call and what the variables were. I misread his
question.

Shelly

Re: Parameters in PHP

In our last episode, , the lovely
and talented Jeff Gaines broadcast on comp.lang.php:

> I have down-loaded several php scripts and am working my way through them
> as part of my learning process. I have noticed situations like this:

> mysql_query("DELETE FROM $table WHERE id=$id",$db);

> where scripts have been called from another script/page with a parameter -
> i.e. 'id' is a parameter that is not defined in the script before the
> above line is called.

> They don't work as they are but I can get the parameters by using
> $_GET['id'] or sometimes $_POST['id'].

> Is this a result of different versions of php (I am using v5) where
> behaviour has changed or is it something else that is going completely
> over my head because I am so new to this?

It is not entirely clear by "They don't work" whether your problem is how
the parameters are (should be) passed or with executing a mysql query. So
it is rather to the point how they fail to work. Could you clarify that a
little?

There is no necessary connection between $_POST['id'] (or $_GET['id'])
and $id. If $id doesn't get a value somewhere, perhaps passed as a
parameter, it will have an empty value. This is not really nonsense as
you might well want to delete rows with an empty id field, but if this kind
of clean-up is wanted, it should be done in a more straightforward way with
a instruction as potentially dangerous as DELETE. (And of course, setting
up a table in which a field called 'id' could ever acquire and empty value
would be fairly perverse.

So for this query to be likely, somewhere $id would have to be assigned.

This might be:

$id = ;

or

$foo = some_function();

where some_function is defined:

some_function($id){
....
return $bar;
}

or

some_function(){
$id = func_get_arg(0);
....
return $bar;
}

On the other hand, if "They don't work" has to do with the query failing, I
suppose I should mention that mysql_query() will not work without a database
connection. If it isn't given a connection, it will try to use a previous
connection, and failing that it will try to establish one with mysql_connect
without parameters, a last ditch effort almost certain to fail in real-world
situations.

--
Lars Eighner
Countdown: 454 days to go.
What do you do when you're debranded?

Re: Parameters in PHP

On 23/10/2007 in message
Lars Eighner wrote:

>In our last episode, , the lovely
>and talented Jeff Gaines broadcast on comp.lang.php:

[snipped]

Many thanks Good Man, Shelly & Lars, I picked Lars' post to reply to as he
has this knack of describing me so well :-)

I think Good Man has probably hit it on the head, this is old code I am
looking at which probably will have worked with earlier versions of php. I
will continue using $_GET['id'] and $_POST['id'] as this seems to be how
to do it now.

Hopefully as I learn I will be able to ask my questions more clearly, at
the moment I am struggling a bit to understand exactly what it is I need
to ask :-)

Thanks again!

--
Jeff Gaines Damerham Hampshire UK
Tell me what you need, and I'll tell you how to get along without it.

Re: Parameters in PHP

"Jeff Gaines" wrote in
news:xn0fcspyu3cjwtj004@news.individual.net:

> I think Good Man has probably hit it on the head, this is old code I
> am looking at which probably will have worked with earlier versions of
> php. I will continue using $_GET['id'] and $_POST['id'] as this seems
> to be how to do it now.

Just as an FYI, presuming your code doesn't have any security holes related
to register_globals (ie: if($authorized) { revealSecrets(); } ) then you
can turn the register_globals directive "ON" in php.ini and have that nasty
ol' site work correctly.... admin beware :)

Re: Parameters in PHP

..oO(Jeff Gaines)

>I think Good Man has probably hit it on the head, this is old code I am
>looking at which probably will have worked with earlier versions of php. I
>will continue using $_GET['id'] and $_POST['id'] as this seems to be how
>to do it now.

An addition: If a user-submitted value is used directly in a query
without any validation as it seems to be in this case, then it's very
easy for an attacker to empty the entire table. Read about SQL injection
and how to prevent it.

Micha

Re: Parameters in PHP

Greetings, Jeff Gaines.
In reply to Your message dated Tuesday, October 23, 2007, 19:51:16,

JG> I have down-loaded several php scripts and am working my way through them
JG> as part of my learning process. I have noticed situations like this:

JG> mysql_query("DELETE FROM $table WHERE id=$id",$db);

JG> where scripts have been called from another script/page with a parameter -
JG> i.e. 'id' is a parameter that is not defined in the script before the
JG> above line is called.

JG> They don't work as they are but I can get the parameters by using
JG> $_GET['id'] or sometimes $_POST['id'].

It is bad, very bad idea to trust somethig entered by user.
Example?
You have code

"SELECT user_id FROM users WHERE user_name = '{$_POST['name']}' AND user_password = MD5('{$_POST['password']})"

Then I submit the form

name="admin' --"
password="any"

Et voila.. I'm authorized as admin of Your website.


--
Sincerely Yours, AnrDaemon

Re: Parameters in PHP

On 24/10/2007 in message <1118486557.20071024182144@freemail.ru> AnrDaemon
wrote:

>It is bad, very bad idea to trust somethig entered by user.

I take your point - I am doing this as a hobby at home on my own network
so I have only to protect me from myself :-)

--
Jeff Gaines Damerham Hampshire UK
This is as bad as it can get, but don't bet on it