cornerblog

Off-site status information for cornerhost.com.

3/13/2009

mercury down

Mercury just stopped responding and I'm unable to bring up a remote terminal.

I've opened a ticket for the data center to investigate.

update: it's back online now. Was down for about 8 minutes.

Posted by Michal at 4:38 PM

3/10/2009

what to do if your old PHP script broke

Hi guys,

The number 1 problem cropping up for people whose PHP scripts have stopped working correctly since the upgrade is that they rely on the old, insecure way that PHP handled variables passed in from the query string in the URL.

This old behavior is one of the major causes of security holes in PHP. Basically, if the program is not well, written, it may be possible for an attacker to change variables that were not meant to be passed in through the URL, and possibly take control of your site.

Although this only affects a very small percentage poorly written scripts, the PHP community has come up with a much smarter alternative, which is to move these variables into special associated array variables like $_GET, $_POST, and $_REQUEST.

So, if your script depends on a variable named $foo being passed in through the URL, like so...

http://whatever/script.php?foo=bar

... Then you should put this line at the top of your script:


  $foo = $_GET['foo'];      // read from query string

Similarly, you can read from a form post with:


  $foo = $_POST['foo'];     // read from form post

If you prefer to accept both GET and POST requests, you can use this line, which handles either method:


  $foo = $_REQUEST['foo'];  // read from either

Add one of these lines to the top of the file for each variable in your form. (Make sure you put it INSIDE the <?php ... ?> area!)

Having said that, I realize this is short notice, so as an alternative, you can revert to the old behavior for your entire site by adding this line to your .htaccess file:


   php_flag register_globals on

However, at some point in the future, I will probably disable this option completely... So if you don't feel comfortable editing your php scripts yourself, please get in touch with me and ask for help.

For more information on this PHP issue, see here:

http://us2.php.net/register_globals

Thanks!

Posted by Michal at 12:29 PM
Subscribe to: Posts (Atom)

Blog Archive