Upgraded to php 4.2.1, broke a script

[Kevin Brown]

OK.  I think I'll leave globals off and make the changes to my scripts instead. 
I didn't worry too much about the security of my scripts since they are hidden
on my Internal LAN and only my parents and I can get to them.

> > > Question:
> > >
> > > Are the following two statements really equivalent?
> > >
> > > 1) echo "select binary_junk, filetype from images where img_id = '92'"
> > >
> > > 2) $get_image = "select binary_junk, filetype from images where img_id =
> > > '$imgid'";
> >
> > I would have thought them equivalent since img_id is passed into the script from
> > the url (e.g. show_image.php?img_id=92).  I think this right here is my
> > problem.  For some reason php is no longer accepting those values.  Guess I'll
> > have to go through the php.ini file and find out why it no longer does.  PHP
> > 4.1.2 did accept the passing of parameters.
> 
> This might be because your register_globals has been turned off in the
> php.ini file. You'll need to add a line in there that reads
> "register_globals=On". By default the newer versions of PHP have this turned
> _off_. The PHP developers do not recommend this because of the nature of the
> $HTTP_GET_VARS (now $_GET) and $HTTP_POST_VARS (now $_POST) -- GET variables
> can supercede POST variables, and as such makes it a security risk to use
> the setting. You might want to replace your reference to $imgid with
> $_GET['imgid'] instead. See
> http://www.php.net/manual/en/language.variables.predefined.php and
> http://www.php.net/release_4_1_0.php for more info on this.
> 
> Additionally, SQL states that only character strings be enclosed by
> single-quotes, so your SQL statement should read as "SELECT binary_junk,
> filetype FROM images WHERE img_id = 92", unless the img_id column is a
> char/varchar/text/whatever. Double quotes are not in the SQL standard at
> all, AFAIK.