Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
replacing import_request_variables with extract - not working ...
451 views
Skip to first unread message
Richard Townsend-Rose
Apr 11, 2015, 9:08:24 AM4/11/15
to
Hi
being a bit thick here ...
updating to php 5.5 after many years not using php ...
used to use this.
// get variables from form, etc
// import_request_variables('p', 'F_'); // turn posted vars to F_var
its now deprecated, so trying this:
extract($_POST, EXTR_PREFIX_ALL, 'F_');
but it is not creating F_ver for example
have checked with print_r($_POST); and the variables are going up ...
must be losing then plot at 70 !
the system is complex and has been working for years - see tdoc.com which is written in ca visual objects - on which group i have posted lots
richard
being a bit thick here ...
updating to php 5.5 after many years not using php ...
used to use this.
// get variables from form, etc
// import_request_variables('p', 'F_'); // turn posted vars to F_var
its now deprecated, so trying this:
extract($_POST, EXTR_PREFIX_ALL, 'F_');
but it is not creating F_ver for example
have checked with print_r($_POST); and the variables are going up ...
must be losing then plot at 70 !
the system is complex and has been working for years - see tdoc.com which is written in ca visual objects - on which group i have posted lots
richard
Jerry Stuckle
Apr 11, 2015, 9:33:59 AM4/11/15
to
variable into your script - almost as secure as register_globals (which
also has been deprecated, for security reasons).
Your should look for each variable in the $_POST array that you are
expecting to find, and process it.
The fact that "it has been working for years" does not make it any more
secure. It looks like its time to fix it right.
--
==================
Remove the "x" from my email address
Jerry Stuckle
jstu...@attglobal.net
==================
Richard Townsend-Rose
Apr 11, 2015, 10:05:02 AM4/11/15
to
Jerry
thanks for that
first to stop injection i have as below:
this one script process's seven different foprms with some common and some other variables - never been a problem.
but if that is what has to happen so be it.
but never the less why does extract not work ?????
richard
// ************************************************************
// check for spamming [v4 & v5]
function detect_spam($arr_variables) {
$msg = "Error in Form - Spam Detected<BR>" ;
$result = false ;
foreach ($arr_variables as $key => $var ) {
// if (eregi( "(%0D)|(%0A)|(0x0A)|(0x0D)|(MIME-Version)|
// (Content-Type)|(Content-Transfer)|(Content-Disposition)|
// (boundary=)|(Return-Path)", $var ) )
if (preg_match("/ (%0D)|(%0A)|(0x0A)|(0x0D)|(MIME-Version)|
(Content-Type)|(Content-Transfer)|(Content-Disposition)|
(boundary=)|(Return-Path)/", $var))
{
$msg.= "<BR>In $key, found $var" ;
$result = true ;
}
}
if ($result) {
tdocprint($msg, false) ;
}
return $result ;
}
thanks for that
first to stop injection i have as below:
this one script process's seven different foprms with some common and some other variables - never been a problem.
but if that is what has to happen so be it.
but never the less why does extract not work ?????
richard
// ************************************************************
// check for spamming [v4 & v5]
function detect_spam($arr_variables) {
$msg = "Error in Form - Spam Detected<BR>" ;
$result = false ;
foreach ($arr_variables as $key => $var ) {
// if (eregi( "(%0D)|(%0A)|(0x0A)|(0x0D)|(MIME-Version)|
// (Content-Type)|(Content-Transfer)|(Content-Disposition)|
// (boundary=)|(Return-Path)", $var ) )
if (preg_match("/ (%0D)|(%0A)|(0x0A)|(0x0D)|(MIME-Version)|
(Content-Type)|(Content-Transfer)|(Content-Disposition)|
(boundary=)|(Return-Path)/", $var))
{
$msg.= "<BR>In $key, found $var" ;
$result = true ;
}
}
if ($result) {
tdocprint($msg, false) ;
}
return $result ;
}
Christoph M. Becker
Apr 11, 2015, 10:11:07 AM4/11/15
to
Richard Townsend-Rose wrote:
> being a bit thick here ...
>
> updating to php 5.5 after many years not using php ...
>
> used to use this.
> // get variables from form, etc
> // import_request_variables('p', 'F_'); // turn posted vars to F_var
>
> its now deprecated, so trying this:
> extract($_POST, EXTR_PREFIX_ALL, 'F_');
>
> but it is not creating F_ver for example
Read the description of the $prefix parameter[1] more carefully: it
> being a bit thick here ...
>
> updating to php 5.5 after many years not using php ...
>
> used to use this.
> // get variables from form, etc
> // import_request_variables('p', 'F_'); // turn posted vars to F_var
>
> its now deprecated, so trying this:
> extract($_POST, EXTR_PREFIX_ALL, 'F_');
>
> but it is not creating F_ver for example
automatically adds an undescore character. So with your current code
you have $F__ver (two underscores).
[1] <http://php.net/manual/en/function.extract.php>
--
Christoph M. Becker
Jerry Stuckle
Apr 11, 2015, 10:37:17 AM4/11/15
to
On 4/11/2015 10:04 AM, Richard Townsend-Rose wrote:
> Jerry
>
> thanks for that
>
> first to stop injection i have as below:
>
> this one script process's seven different foprms with some common and some other variables - never been a problem.
>
> but if that is what has to happen so be it.
>
> but never the less why does extract not work ?????
>
> richard
>
<snip code>
> Jerry
>
> thanks for that
>
> first to stop injection i have as below:
>
> this one script process's seven different foprms with some common and some other variables - never been a problem.
>
> but if that is what has to happen so be it.
>
> but never the less why does extract not work ?????
>
> richard
>
There's never a problem until something bad happens. Then it's a huge
problem. And your code does find some potential problems. But it won't
stop a good hacker.
Best is to handle the variables as they occur in $_POST and not try to
import unknown variables into your script. This way any potentially bad
stuff is isolated and won't affect the rest of your code.
P.S. When replying, it's considered good form to quote the applicable
parts of the message you are replying to, then reply inline or following
the copied message. Most of us use real usenet readers instead of the
poor Google interface to usenet, and previous messages may or may not be
available.
Richard Townsend-Rose
Apr 11, 2015, 12:05:49 PM4/11/15
to
Christopher
Exactly the reply needed ... but I am damned if I can read that prefix adds an underscore in the text.
Anyway working a treat.
Jerry - We have a methodology for checking any unwanted vars that ends any processing.
richard
Exactly the reply needed ... but I am damned if I can read that prefix adds an underscore in the text.
Anyway working a treat.
Jerry - We have a methodology for checking any unwanted vars that ends any processing.
richard
Richard Yates
Apr 11, 2015, 12:24:14 PM4/11/15
to
script to confirm that and undescore was added, then went back to
http://php.net/manual/en/function.extract.php and there it was, right
in plain sight:
"prefix
Note that prefix is only required if flags is EXTR_PREFIX_SAME,
EXTR_PREFIX_ALL, EXTR_PREFIX_INVALID or EXTR_PREFIX_IF_EXISTS. If the
prefixed result is not a valid variable name, it is not imported into
the symbol table. Prefixes are automatically separated from the array
key by an underscore character."
Feeble minds think alike...
Christoph M. Becker
Apr 11, 2015, 1:23:15 PM4/11/15
to
a mirror or in a translation. If so, please file a bug report.
--
Christoph M. Becker
Jerry Stuckle
Apr 11, 2015, 2:44:28 PM4/11/15
to
secure. Hackers are quite good at what they do.
But if you don't care about security, it's no skin off of my back.
0 new messages