ok, I misunderstood the problem.. well rather I didnt get the whole picture
remove what I suggested and replace it with this ..
| Code: |
if ($_GET['show'] == 'lost'){ $show = 'lost';}
if ($_GET['show'] == 'update'){$show = 'update';}
if (!empty($_POST['Email'])){$Email = $_POST['Email'];}
|
If you still want to remove the edit link.. its in the ginourmous /include/functions.php
file
around lines 703 - 706 it can be removed by doing a block comment.. instead of adding double slashes in front of every line, you can comment out whole blocks of code with
a forward slash followed by an asterick at teh top , and an asterisk followed a forward slash at the bottom
This is the code block to comment out .. I'd put in the comment characters
but that breaks the forum's formatting .. so above this block add
forward slash asterisk
and at the bottom add
asterisk forward slash
| Code: |
$htmlsrc .= " <a class=\"ownerLink\" ";
$htmlsrc .= "href=\"./directory/owner.html?";
if ($usesession =="yes"){$htmlsrc .= "". session_name()."=".session_id() ."&";}
$htmlsrc .= "ID=". $sites_array["site_id"] . "\">" . $functions_11 . "</a>";
|
stupid forum. messing up my nicely formatted post
And finally to answer your question.. whats register globals..
Well, when PHP was young (like a couple of years ago) it was really handy to have variables automatically populated for you.
So on a page that had a URL like /somescript.php?value=yippy
the script automatically had a variable named $value with the contents yippy
But, it turns out that can be quite a security issue, since I might be able to guess at some of the internal variable names in your script and overwrite their values with something else, or if I were evil, I could sneak in some nasty php code and get it executed by your server
somescript.php?value=whocares&debug=1
somescript.php?value=(eval(print_r($_SERVER))) // and no to potential hackers.. that wont actually work.. thank God.
but if it did, when your script tries to do something with the automatically created variable $value, since it contains an eval function call, the code within the parens would be executed as PHP code... I think you can see where that can get really scary.
So, initially they shipped PHP with register globals on, and strongly suggested you disable it. Now with PHP5 its off by default (but can still be enabled) although even a stubborn caveman like me thinks its probably best to adapt the code to the newer, more secure enviroment.
The end result is, if you want a variable, you have to fetch it from the $_GET or $_POST array. In this example since the value was passed via the URL, you would use the $_GET array. Use $_POST if it were submitted by a form
and of course you still need to scrutinize & sanitize what was passed ..
$value = $_GET['value']; // that works, but doesn't keep badness out..
if value should be a number.. best to do something like
if (is_numeric($_GET['value'])){ $value=$_GET['value'];}
else {unset($_GET['value']);} // it wasn't a number so, erase it
To make sure the value variable only contains alphanumeric characters
if (!empty($_GET['value'])){
$value = ereg_replace("[^[:alpha:]]", '', $_GET['value']);
}
I'm still learning about potential security issues and how to address them, and the two examples above are fairly simple.. but a good start I think.
Favoured: 3
