post variables always undefined

Hi folks,
I seem to be using these newsgroups a good bit and probabely will be for the
next three or so months.

I wonder if there is a workaround to a problem I'm having. PHP always says
that variables are undefined for the first time I visit a page. I have
register_globals on and on the second visit a page when a certain post
variable 'has' a value and been defined.

Here's a bit of code I'm working with now.

<?php
if($deleteFlag=="yes") {unlink($filename);
echo "$filename successfully deleted";}
else
{
echo "<table><tr bgcolor='#FFFF00' align=center><td><b>Are you sure you want
to delete &quot;$filename&quot;?
<br>This action cannot be undone</b>";
}
?></td></tr><tr align=center><td><form action="delete.php" method="post"
name="delete"><input name="deleteFlag" type="hidden" value="yes" />
<input name="Submit" type="button" value="Confirm" />
<input name="cancel" type="button" value="Cancel"
/></form></td></tr></table>
</td></td></table>

Basically i want to be able to tell the script that the confirm button was
pressed and to actually delete the file

On Sun, 19 Dec 2004 20:30:21 -0000, "Dave" <contact@akamarketing.com> wrote:

>I wonder if there is a workaround to a problem I'm having. PHP always says
>that variables are undefined for the first time I visit a page. I have
>register_globals on

Boo, hiss. You'd be well advised to turn them off.

>and on the second visit a page when a certain post
>variable 'has' a value and been defined.
>
>Here's a bit of code I'm working with now.
>
><?php
>if($deleteFlag=="yes") {unlink($filename);

This page had better be accessible strictly to trusted users.

To solve the issue you're asking about, check if the variable is set before
comparing it to anything, e.g.:

if (isset($deleteFlag) && $deleteFlag=="yes")

http://uk2.php.net/isset


--
Andy Hassall / <andy@andyh.co.uk> / <http://www.andyh.co.uk>
<http://www.andyhsoftware.co.uk/space> Space: disk usage analysis tool

Dave wrote:
> <input name="Submit" type="button" value="Confirm" />
> <input name="cancel" type="button" value="Cancel"
[...]
> Basically i want to be able to tell the script that the confirm
> button was pressed and to actually delete the file

In this case, you shouldn't use a control with "button" as the type. This
kind of control can be handled client side only (e.g. with javascript).

If you want to send the cancellation to the server, use a submit control:

<input name="cancel" type="submit" value="Cancel" />

if (isset($_REQUEST['cancel'])) {...}

BTW, I think that you really should consider to use the $_* superglobals
instead of register_globals. Browse the online manual to read about the
advantages.


JW

Dave wrote:
> I seem to be using these newsgroups a good bit and probabely will be for the
> next three or so months.

Why are you already thinking about leaving us? :-)

> I wonder if there is a workaround to a problem I'm having. PHP always says
> that variables are undefined for the first time I visit a page.

Use isset() before the variable:

if (isset($variable)) do_something_with($variable);

> I have
> register_globals on and on the second visit a page when a certain post
> variable 'has' a value and been defined.
>
> Here's a bit of code I'm working with now.
>
> <?php
> if($deleteFlag=="yes") {unlink($filename);
> echo "$filename successfully deleted";}

<snip>

What would happen if I browsed to
yourserver.com/.../delete.php?deleteFlag=yes&filename=index.php

Turn off register_globals
and validate *all* user input.

*NEVER* trust the user!

--
Mail to my "From:" address is readable by all at http://www.dodgeit.com/
== ** ## !! ------------------------------------------------ !! ## ** ==
TEXT-ONLY mail to the whole "Reply-To:" address ("My Name" <my@address>)
may bypass my spam filter. If it does, I may reply from another address!

Thanks everyone for their replies so far,

What would happen if I browsed to
yourserver.com/.../delete.php?deleteFlag=yes&filename=index.php

I think you know what would happen :-)
I tried that with this one

http://localhost/delete.php?deleteFl...ename=test.txt
and it deleted test.txt

A number of things then in response

How would malicous people know the names of variables and what their use is,
no urls like the one you gave and the one
I gave can ever be seen in the browser bar. There's no way I can hide my
could my php code when I distribute this program is
there? everyone could simply examine the code and then try to break websites
using the system.

I'm only starting on this project now. (it's for a college project for those
that don't know)
I fully plan to implement logins and basically have something like

if session login is good then {process rest of page}else die(not authorized)
passwords would be stored in database, well encrpyted version of them not
actually the plain text ones.

With security this would mean that URL like the above could not be executed
by the right people.
Am I right in saying that?

Also if register_globals is off basically all I have to do to get at a
variable is use $_POST[filename] rather than $filename.
If register_globals is off, is it therefore impossible to do trick URLs like
the two above regardless if loggins are used.

Pedro if you could address as many of these issues as possible, also other
help too.
Thanks to everyone. Only learning and you have all been helpful.


"Pedro Graca" <hexkid@dodgeit.com> wrote in message
news:slrncsc1ub.eqs.hexkid@ID-203069.user.uni-berlin.de...
> Dave wrote:
> > I seem to be using these newsgroups a good bit and probabely will be for
the
> > next three or so months.
>
> Why are you already thinking about leaving us? :-)
>
> > I wonder if there is a workaround to a problem I'm having. PHP always
says
> > that variables are undefined for the first time I visit a page.
>
> Use isset() before the variable:
>
> if (isset($variable)) do_something_with($variable);
>
> > I have
> > register_globals on and on the second visit a page when a certain post
> > variable 'has' a value and been defined.
> >
> > Here's a bit of code I'm working with now.
> >
> > <?php
> > if($deleteFlag=="yes") {unlink($filename);
> > echo "$filename successfully deleted";}
>
> <snip>
>
> What would happen if I browsed to
> yourserver.com/.../delete.php?deleteFlag=yes&filename=index.php
>
> Turn off register_globals
> and validate *all* user input.
>
> *NEVER* trust the user!
>
> --
> Mail to my "From:" address is readable by all at http://www.dodgeit.com/
> == ** ## !! ------------------------------------------------ !! ## ** ==
> TEXT-ONLY mail to the whole "Reply-To:" address ("My Name" <my@address>)
> may bypass my spam filter. If it does, I may reply from another address!

I noticed that Message-ID: <cq548l$jbu$1@kermit.esat.net> from Dave
contained the following:

>
>How would malicous people know the names of variables and what their use is,
>no urls like the one you gave and the one

Well this one is a giveaway...
<input name="deleteFlag" type="hidden" value="yes" />
--
Geoff Berrow (put thecat out to email)
It's only Usenet, no one dies.
My opinions, not the committee's, mine.
Simple RFDs http://www.ckdog.co.uk/rfdmaker/

[ Please don't top post ]
[ See http://www.greenend.org.uk/rjk/2000/06/14/quoting.html ]

Dave top-posted:
> How would malicous people know the names of variables and what their use is,
> no urls like the one you gave and the one
> I gave can ever be seen in the browser bar.

URLs hidden in a frame or built with JavaScript are very easy to "find".
Besides most people tend to use the same names for the same things -- it's
just a question of trying them and getting lucky.

> There's no way I can hide my
> could my php code when I distribute this program is
> there? everyone could simply examine the code and then try to break websites
> using the system.

No. Under normal circunstances the PHP code is not visible to anyone
browsing your site.
But that is not enough to stop malicious people from taking guesses to
URL parameters, form submissions, cookie entries, ...

> With security this would mean that URL like the above could not be executed
> by the right people.
> Am I right in saying that?

Basically yes. Without seeing some code we can't tell for sure. Many,
many things could go wrong.

> Also if register_globals is off basically all I have to do to get at a
> variable is use $_POST[filename] rather than $filename.

Yes.

> If register_globals is off, is it therefore impossible to do trick URLs like
> the two above regardless if loggins are used.

Nope :-) Even with register_globals off many, many things could go
wrong.

--
Mail to my "From:" address is readable by all at http://www.dodgeit.com/
== ** ## !! ------------------------------------------------ !! ## ** ==
TEXT-ONLY mail to the whole "Reply-To:" address ("My Name" <my@address>)
may bypass my spam filter. If it does, I may reply from another address!