Upgraded to php 4.2.1, broke a script

[plug-discuss@lists.plug.phoenix.az.us]

On Thu, May 16, 2002 at 08:53:48AM -0700, Kevin Brown wrote:
> > Question:
> > 
> > Are the following two statements really equivalent?
> > 
> > 1) echo "select binary_junk, filetype from images where img_id = '92'"
> > 
> > 2) $get_image = "select binary_junk, filetype from images where img_id =
> > '$imgid'";
> 
> I would have thought them equivalent since img_id is passed into the script from
> the url (e.g. show_image.php?img_id=92).  I think this right here is my
> problem.  For some reason php is no longer accepting those values.  Guess I'll
> have to go through the php.ini file and find out why it no longer does.  PHP
> 4.1.2 did accept the passing of parameters.

This might be because your register_globals has been turned off in the
php.ini file. You'll need to add a line in there that reads
"register_globals=On". By default the newer versions of PHP have this turned
_off_. The PHP developers do not recommend this because of the nature of the
$HTTP_GET_VARS (now $_GET) and $HTTP_POST_VARS (now $_POST) -- GET variables
can supercede POST variables, and as such makes it a security risk to use
the setting. You might want to replace your reference to $imgid with
$_GET['imgid'] instead. See
http://www.php.net/manual/en/language.variables.predefined.php and
http://www.php.net/release_4_1_0.php for more info on this.

Additionally, SQL states that only character strings be enclosed by
single-quotes, so your SQL statement should read as "SELECT binary_junk,
filetype FROM images WHERE img_id = 92", unless the img_id column is a
char/varchar/text/whatever. Double quotes are not in the SQL standard at
all, AFAIK.

HTH
--
Thomas "Mondoshawan" Tate
mondoshawan@tank.dyndns.org
http://tank.webhop.org