Help please it does not work..

[traq]

-- then try to remove that line.

a better way to "remove" a line of code is to comment it out - that way, the code is ignored, but you can still restore it easily if it turns out you needed it.

PHP Code:

$example = "I like this code";

// $bad = "I think this line is a problem";

//  <-- the two slashes make a one-line comment: everything after them (on the same line) is ignored by PHP.

/*
this is another way to make a comment.
the slash-and-star starts the comment,
and the star-and-slash ends it.
this is also useful in cases like below, 
where you want to keep most of the code and only change one part:
*/

$variable = /*"bad value";*/ "good value"; 


[djr33]

Yes, I agree. I meant "remove" in a casual sense. Of course as a final step actually deleting it is fine if you're sure after testing that it works-- but save a backup. My suggestion was to just leave everything as is in case you're not sure what to comment out, and just find the single if statement that checks for register_globals, and maybe that always true (see my last post). Commenting it out is fine as well-- just make sure you disable a symmetrical part of the code-- eg, the same number of open { brackets and close } brackets, or you'll get a parse error.

[ajfmrf]

Wow,that worked for the first one I found,not the one I posted here in this thread.

Here I was not able to find any php in any of the files even the one with the php extension

But the first one I was told by the people that published it that the globals needed to be turned on.I asked my host if it was okay to do this before I added the file that xavermedia told me to add.

I was told it would pose a possible security issue.

I went back to the forum and posted what I was told and the removed the post and now I can do nothing.I can't get links to work at the forum or do anything but my profile.

xaviermedia.com/php/keno.phtml

Thanks for the help-I am soooooo happy to get the game working

[traq]

register_globals really is a security risk, especially for newer coders or those who didn't learn to code with strongly-typed languages (PHP is a "loosely typed" language, meaning you aren't required to define a variable's type before using it or giving it a value).

at best, register_globals can cause hard-to-track problems by allowing input from many different sources to create and/or overwrite variables. at worst, -since variables from html forms and query strings are among those "registered"- users can take control of your scripts by inserting values. example:

Warning:
This feature [register_globals] has been DEPRECATED as of PHP 5.3.0. Relying on this feature is highly discouraged.

PHP Code:

<?php
// define $authorized = true only if user is authenticated
if (authenticated_user()) {
    $authorized = true;
}

// Because we didn't first initialize $authorized as false, this might be
// defined through register_globals, like from GET auth.php?authorized=1
// So, anyone can be seen as authenticated!
if ($authorized) {
    include "/highly/sensitive/data.php";
}
?>

[jscheuer1]

Wow,that worked for the first one I found,not the one I posted here in this thread.

Thanks for the help-I am soooooo happy to get the game working

Great!

I had a little trouble finding it on your site, but I did. Looks good!

[djr33]

What traq said is very important.

Generally, it's possible to avoid that if you always give your variables a default value. Since register_globals is set before everything else, your default value (even at the beginning of your script) will be applied after that and reset the value from whatever was "globally registered" from the input.

So fixing the code in traq's post:

PHP Code:

<?php
$authorized = false; //DEFAULT VALUE, IMPORTANT!
if (authenticated_user()) {
    $authorized = true;
}
if ($authorized) {
    include "/highly/sensitive/data.php";
}
?>

That said, it's still best to avoid register globals if you can or to apply it only when you need it-- not on the whole site, but for just the pages that actually required it. And really be sure that any "security" type variables are given a default value. That's crucial.