PHP - Passing variables securely

[brettgodfrey]

I have been advised by a clients' host that the reason my php code does not work is that they are operating with php safe_mode set to 'on' and my php programming is insecure. This would normally be welcome advice if they had explained why.

I posted a phpinfo.php (http://warwick-davis.co.uk/phpinfo.php) page and it says that safe_mode is 'off'. When questioned my host suggested I transfer to a new host.


The basis of the issue is that I want to use an HTML form which when posted passes the form data to a php script.

Below is a basic example:
This is the form page called test1.htm

Code:

<body>
Please enter your name
<form name="form1" method="post" action="test2.php">
  <input name="name" type="text" id="name">
  <input type="submit" name="Submit" value="Submit">
</form>
</body>

The code I am using to access the form variable 'name' is test2.php

Code:

<body>
<? echo "Hello $name";?>
</body>

Currently the page only displays "Hello" as it does not see $name.

I suspect all of the error reporting is turned off as it does not report an Undefined variable.

That is the only way I know to pass HTML form data to a php script.

Is this insecure?

What is the secure alternative?

[jdiben]

instead of
<? echo "Hello $name"; ?>
try
<? echo "Hello $_POST['name']"; ?>

Joe

[brettgodfrey]

Thanks Joe

That sorted it!

I should ave known it would be that easy :)

[Easywebdev]

Quote:

I posted a phpinfo.php (http://warwick-davis.co.uk/phpinfo.php) page and it says that safe_mode is 'off'. When questioned my host suggested I transfer to a new host.

If it were I, I would be running for the hills and getting a new host.

If your host cannot differentiate beteween php safemode and register globals then get out.

For the record, <? echo "Hello $name"; ?> would work on a server with the php setting register globals on.

Explanation.
When a php variable is passed to a script on the server the php parser takes over and obeys the rules set in the file php.ini this file has an attribute called register globals if this attribute is set to ON then your code would have worked as all variables/form names etc would be automatically converted to php variables, ie if you had a form with a text area named form_text then there would automatically be a variable $form_text available to your scripts.
If your host had set register globals to OFF (I wont explain variable scope here) then $form_text would be null/blank, but $_POST["form_text"] would contain the information passed from the form tag named form_text.

The fact that it did not would suggest your host was somehwat security conscious but when they attribute that behaviour to safe mode well, it smacks of a kiddie host that has no real understanding of php, god knows what they will tell you when they run into dns or sendmail issues. Get out now.

Hosts that charge less than $5 for 100mb space and 1gb bandwidth are either a massive corporation or someone new to the hosting game with no real sustainable business plan.

Regarding hosting, you get what you pay for. I have programmed computers from the 8bit days and like to think I know the net inside out (apart from seo, thats a different ball game) but for server side technologies I consider myself well up to date.
Yet I see 20 year olds (and younger) think that they can buy a templatemonster template and run a hosting company, sheesh
the mind boggles.
I frequent webhosting talk and see question like what's the difference between windows hosting and linux hosting? why is windows dearer?. how in hell are these people ment to answer support questions when a router is down on the at&t network and they have never heard of the word router?
The mind boggles.

Anyhow, enough of a rant, change hosts. Your existing host has no clue and when you ask a simple question they dont know the answer to they tell you to take your business elsewhere.

Tips for finding a webhost.
1.Less than 50c per gb bandwidth nu uh. (dont fall for the big corpo spiels, most likely you will end up in obscure dc's with a smaller pipe to the big dc's resulting in slower access).

2. In the current market a minimum spec (most likely 1.7ghz celerons = bargain bucket servers) server with 1200 gb transfer will cost around $120 per month, the kiddies will try to sell you 50gb transfer for $2.95 (the thinking being that no one will actually use that much) then they figure out that the 1200gb that they signed up for is split 50% inbound 50% outbound traffic and their business plan did not quite accomodate for that.

3. Be sensible if some idiot offers you 400gb space and 1 terabyte transer for $7.95 a month then go ask them where they bought the hard drive cos I want one :)

4. Ask on forums like this, the majority of webmasters her probably know of a good deal and know exactly what they are getting for their $.

[brettgodfrey]

Thank you Easywebdev.

The explanation re: PHP globals on/off is very helpful