POST variables not coming through

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

For some reason, at random posts, the post variables don't get thru to
the server. For example, if there is are two text fields: name and
email... (I have register_globals on)... When I try to update the
database with a query and use $name, $email, the $name is missing or
the $email is missing. I am building an intranet application and all
the 20 or so clients run IE. This happens very rarely. Something like
once in 100 updates.

But I can see this in the log files as update contact set name="",
email="" where contact_id=918. Notice the name field is
blank. I have JS checks in the client side which does not allow blank
name field..

Is this an IE random error? How do I get over this?

Weird Stuff

Re: POST variables not coming through

Maybe your user has just turned off javascript?

WhatsPHP schrieb:
Quoted text here. Click to load it

Re: POST variables not coming through

WhatsPHP wrote:
Quoted text here. Click to load it

Firstly, turn register_globals off, because it's horrid. Read the PHP
manual's security entry on register_globals if you want to know why :)
This is also probably where your problems are coming from, as variables
are really easily over-written when register_globals is on.

Secondly, don't just validate in JS - validate in PHP too, as the JS
might not run as expected or may be ignored completely if a (malicious)
user decides to create their own POST to the form handler.

Re: POST variables not coming through

Quoted text here. Click to load it

You will never get better advice than this.  You *must* get a handle on
security whenever you are using PHP and submitted forms.  

*NEVER* trust user input.  You must *ALWAYS* validate your info on the
PHP side - make sure that you are actually getting the information you
are expecting.   As noted above, if a user has disabled javascript, then
they can submit an empty form.  Heck, I don't even need to VISIT a
website to submit information to the form on it - I can post to a FORM
via command-line, or any other number of ways, without hitting the
original form.  

So how would you guard against people submitting a 'fake' form from
their own computer, or just turning off javascript?  By checking *ALL
USER INPUT*.  It is the FIRST RULE involving ANY server-side scripting

As you can see, this point simply CANNOT be stressed enough.  It is the
first hole (and biggest) that must be plugged in everything you write
from this day forth.  


Re: POST variables not coming through

Thanks for all your input on security guys i will certainly keep it in
mind, but this is an inhouse intranet application and the users who use
the system barely know how to use it, let alone hack it.. That is the
reason we had register_globals on. This system maybe internal and on
the intranet but it has around 20 people using it full time (so it is
not small)..

We have register_globals on.. What is still bugging me is the totally
random occurence of this error.. has anyone experienced IE behaving
weird by not posting all the form variables, both hidden and non-hidden
as it should?

Re: POST variables not coming through

On 29 Aug 2006 10:30:47 -0700, WhatsPHP wrote...
Quoted text here. Click to load it

The "register_globals" setting can be easy adjusted in the php.ini config file
and would probably be a good place to start.

If you're only validating your information with Javascript, that's not very
reliable since it can be turned on and off on the client PC and you can't
control what the user is going to send back. At least a couple other people
suggested using PHP to validate the information. That way you can process the
information at the server consistently and can control how the information is
formatted and what you do with it. Javascript is not very reliable in hat regard
and shouldn't be used exclusively.

Newsguy's Help-A-Community Program

Re: POST variables not coming through

WhatsPHP wrote:
Quoted text here. Click to load it

If the JavaScript fails at any time and you're relying on using an
"onSubmit" check to validate the data, the data won't be validated at
all! Validation is not just a question of security - it's good practice
to stop your scripts from failing, esp. when working with databases.

Again, the inherant problems with having register_globals on aren't all
security related, either. When it's turned on, $_POST['name'] would be
the same as $_GET['name'], which is the same as $name - all sorts of

Another problem with having register_globals on is session
over-writing. Say you authenticate a user and store the user's id in
the session variable $_SESSION['id']. If you then assign the variable
$id with a value anywhere else on a page which the user visits,
$_SESSION['id'] will be over-written with $id!

I know it's a pain to alter your scripts and change over to a system
which doesn't rely on register_globals being on, but in the long run
it's much better if you learn to use the super-globals.

Site Timeline