THE answer for some .7X problems :: Zikula Community

Get Zikula 1.3.3!New core, modules & more

Quick Links

Donate Today!Support your Software

Documentationlearn, share & develop

Watch

GitHub Core

Show your support for Zikula! Sign up at Github account and watch the Core project!

GitHub Modules

Forum Activity

mesteele101 created topic »Pages 2.5.0 and updating - Page not found« 05:20 AM
mesteele101 responded to »ERR (3): E_USER_ERROR: Smarty error: [in pagesvar:pagesitem2en line XXX]…« 05:05 AM
mesteele101 responded to »Zikula 1.3.3 - Selecting a category in Pages not working« 01:29 AM
mdee created topic »How to implement returnpage ?« 01:00 AM
nestormateo responded to »Fillters in Clip« 24. May
damon responded to »Can the Updated Version Check be Turned Off (Z 1.3)« 24. May
frw responded to »Bug in the SMTP mail transfer protocol - Port 25 - Zikula 1.2.9« 22. May

» Visit forum | » View latest posts

Zikula Blog

Anatomy of Open Source Projects on Mar 07
Continuous Review on Mar 01
Not Invented Here on Feb 24
How to Contribute Your Code at Github on Jan 13
10 Steps to Coding-Nirvana: Tips for Successful Module Writing on Nov 12
Submitting Bug Report Tickets That Get Results on Aug 17
Cozi Tricks #1: Syntax Highlighting on Aug 07

THE answer for some .7X problems

Print topic

**unknown user**

Rank: Registered User

Registered: Mar 16, 2002

Last visit: Jun 06, 2004

Posts: 2
Posted: Jun 04, 2004 - 02:25 AM

Ok, I've seen many support questions (on this forum and other german postnuke communities) about member list, sections and other modules that doesn't seem to work correctly.

After studying the code, I've found that these problems especially occur on local installations. The modules seem to ignore some variables passed to them... The source of the problem: variable registrations!

:D Enough talking...

The solution:

PostNuke team - register variables through HTTP_GET_VARS. Make sure it works even on stone-age PHP systems

PostNuke users - make sure register globals is ON :!: in your php.ini file
Code
register_globals = On

Don't underestimate the power of http_get_vars ;)

Best wishes,

~Sparky
markwest

Rank: Team Member

Registered: Mar 18, 2002

Last visit: Oct 21, 2009

Posts: 6606
Posted: Jun 04, 2004 - 02:43 AM

To me that is the exact opposite of what you'd want to do... Register globals is bad and should be avoided... See http://uk2.php.net/m…ecurity.globals.php for why register globals is off by default in latter PHP versions. Register globals being on allows variables into your application that you've not asked for that and could, potentially, have a catastrophic effect on your logic, your application and your data.

All variables coming into the PN framework should be obtained via the approved API call - pnVarCleanFromInput. This is a pre-requisite to creating secure and stable code hence the reason the global extraction code was removed in .750. Too many modules worked based on the assumption (mostly indvertantly) that the variable existed - which it did due to the global extraction code.

While http_get_vars will work on even aincient (relatively) PHP installs what's the gain by doing so? PHP 4.10 was released in December 2001 (see http://uk2.php.net/releases.php), the PostNuke project only begain in July of the same year (see http://news.postnuke…&file=article&sid=2). There is a time on which you have to move on and the use of PHP's superglobals is the obvious way in which to go hence PN .750 drops supprot for PHP 4.06 by using PHP's superglobals.

While you suggestions will make things work they don't necessarily improve stability, reliability, security, coding standards, memory footprint or any of the other facets that PN uses to seperate itself from PHP-nuke and other such CMS's.

-Mark

--
Visit My homepage and Zikula themes .
HalbrookTech

Rank: Developer

Registered: Dec 31, 1969

Last visit: Jun 01, 2010

Posts: 6859
Posted: Jun 04, 2004 - 05:26 AM

I agree, the solution isn't to turn on Register Globals and to use Globals, but rather to code right.

--
Home Page | Find on Facebook | Follow on Twitter
**unknown user**

Rank: Registered User

Registered: Mar 16, 2002

Last visit: Jun 06, 2004

Posts: 2
Posted: Jun 04, 2004 - 06:16 AM

Quote
All variables coming into the PN framework should be obtained via the approved API call - pnVarCleanFromInput.

Ok. I agree that http_get_vars isn't secure and you need to "filter" the variables before importing through the right API call, but you have to import them. That's the point. Let's take the module member_list as an example: the variable "letter" isn't imported at all! Maybe because it wasn't changed when removing the superglobals from .750

Thanks for the tip on the right API call. Will change my code tonight. I'm relatively new to this great system and need time to "explore" the code ;)

~Sparky
markwest

Rank: Team Member

Registered: Mar 18, 2002

Last visit: Oct 21, 2009

Posts: 6606
Posted: Jun 04, 2004 - 10:59 AM

Agreed... You have to get the variable in some way or other.... Better that you have to do it than it be available automagically. This is what pnVarCleanFromInput does.....

We've removed a whole chunk of code from the .7x in .750 that, in effect, allowed security issues to occur and bad code to be written.

-Mark

--
Visit My homepage and Zikula themes .