can $_FILES superglobal be accessible in class - php

Does anyone have experience with this
I wanted to use $_files in my class
like
$Uploadfile= $_FILES['file'];
but then the script errors
I thought superglobals were acccessible anywhere
thanks, Richard

Yes, $_FILES is a superglobal, which means that it's accessible from every scope. It's only set if the request actually contains a multipart/form-data body.

Related

PHP not reading XML file [duplicate]

Can someone give some examples of what register_globals are?
And is global $user_id; considered a register global?
The register_globals directive:
register_globals is an internal PHP setting which registers the $_REQUEST array's elements as variables. If you submit a value in a form, via POST or GET, the value of that input will automatically be accessible via variable in the PHP script, named after the name of the input field.
In other words, if you submitted a form containing a username text field, the expression ($username === $_POST['username']) at the very beginning of the script would return true.
Its notoriety is attributed to the fact that it opens lots of security holes, especially for people that follow anything less than a strict coding style from a security perspective.
Classic example:
if(user_is_admin($user))
{
$authorized = true;
}
if($authorized)
{
// let them do anything they want
}
Now, if you visited that script in a web browser and the server had register_globals on, you could simply append ?authorized=1 to the URL and god-mode would be enabled!
The global keyword:
global is a keyword has little to do with register_globals.
Here is an example of its use:
$foo = 'bar';
baz();
function baz()
{
echo $foo; // PHP warns you about trying to use an uninitialized variable
// and nothing is output (because $foo doesn't exist here)
}
buzz();
function buzz()
{
global $foo; // Enables the use of $foo in this scope
echo $foo; // Prints 'bar' to screen
}
Everyone mentioning GET, POST, REQUEST, COOKIE has effect on register_globals=on.
I'm just writing this to let you know that -
$_SESSION will be affected aswell because of register_globals=on.
http://php.net/manual/en/security.globals.php
That means - if you do as following -
$_SESSION[x] = 123;
$x = 'asd';
echo $_SESSION[x];
The output will be asd.
And this will cause serious security issues and bugs. I have experienced such a bad thing recently during using Hostgator shared hosting. By Default they have register_globals=on.
When you have register_globals=on, anything passed via GET or POST or COOKIE automatically appears to be global variable in code, this might have security consequences.
I.e. you click on url test.php?access_level=100 and you'll have $access_level = 100 in PHP.
When you do global $somevar - you are making your own global variable, which usually is not a big issue.
The register_globals setting controls how you access form, server, and environment. variables.
register_globals=On :
You can access form attribute without Global Arrays ( GET[], POST[] & REQUEST[] )
example: http://www.example.com/one.php?myinput=abc
You can access directly in one.php
echo $myinput; // abc
register_globals=Off :
You have to access all attributes only by Global Arrays.
example: http://www.example.com/one.php?myinput=abc
You have to access in one.php
echo $_GET['myinput']; //abc
As I understand it, if you have register globals turned ON, then anything passed in a GET or POST gets automatically translated into a variable in PHP.
for example:
http://www.domain.com/vars.php?myvar=123
without any further coding this would automatically get turned into a variable available to the rest of your php code
$myvar //with a value of 123
With registered globals OFF, data passed in via GET or POST is NOT automatically translated into a variable, rather, you need to request it using the Superglobals $_GET, $_POST, and $_REQUEST, etc.
http://php.net/manual/en/security.globals.php provides some further information as to the security implications of this.
Others can feel free to correct me if I'm wrong.
edit:
in relation to your question re global $user_id;, this does not create a 'global' in the sense of 'register_globals'. It simply alters the scope of a variable within the PHP code.
For information re scope, see: http://php.net/manual/en/language.variables.scope.php
Global variables in php are variables that are always accessible. They are also known as superglobals. They are built in variables that are always available regardless of the scope.
There are nine superglobal variables in PHP. Some of these are relevant to this discussion.
$_REQUEST
$_POST
$_GET
$_COOKIE
Now, let's focus on the $_REQUEST superglobal. It is used to collect data after submitting an HTML form by user using the POST method.
$_POST and $_REQUEST could be used loosely interchangeably. But $_REQUEST also contains $_GET and $_COOKIE along with $_POST so you are never sure if your data came from a web form.
Now, as pointed out by #Tim register_globals is an internal PHP setting which registers the $_REQUEST array's elements as variables. It is also known as a flag in your php setting. It is typically set in the PHP configuration file known as php.ini file. This setting can have two values.
“on”
“off”.
An “on” value means that PHP will automatically create global variables for many server variables as well as query string parameters. This is not good and is a security risk.
Register Globals :
register_globals
The feature causes data passed to a PHP script via cookies or GET and POST requests to be made available as global variables in the script.
Default Value : "0"
Changeable : PHP_INI_PERDIR
register_globals is affected by the variables_order directive.
NOTE:
This feature has been DEPRECATED as of PHP 5.3.0 and REMOVED as of PHP 5.4.0.
register_globals is one of the parameters of php.ini file.The file was coming from "On" mode before PHP 5.3.8 version.If you change register_globals from Off to On, there would be some criticals about vulnerability of website.Register_globals's feature is that you can use variables without $_GET and $_POST variables.So, Any data which comes from form or URL line you can use the variable not need like $_GET or $_POST variables.Example we have this form :
<?php
if(isset($_POST["myinput"])){
echo $_POST["username"];
}?>
<form action="" method="post">
<input type="text" name="username">
<input type="hidden" name="myinput">
<input type="submit" value="Submit">
</form>
When you submitted the form you can see your username but when you change the situation of register_globals to "On" you have not written $_POST["username"]; you can access directly to the username variable by writing this code echo $username

Uploading file with PUT method in PHP

For my RESTFUL API server I'm trying to use the "PUT" method for uploading a file.
Actions started as reading php://input.
So, how can pass file name or some other parameters to action and display them?
You can use post method therefore, you can collect data from form-data using $_POST the super global variable because, there is no super global like $_PUT for put method.

$_POST empty in PHP file but call it with POST variables in the URL

I call my php file in the browser with "...test.php?text=Hello" but the $_POST variable stays empty (also print_r($_POST) returns array() ).
Why? Do I need to activate the post variable or something?
Thanks.
Variables passed in through the URL end up inside $_GET, not $_POST.
$_POST contains variables parsed by reading the HTTP request body when the method is POST. In this case the method is not POST and there is also no request body.
If you pass the variable through the URL you use $_GET.
Also, you will access the variable with:
$_GET['text']
This is a array that is sent through and you need to specify what item in the array you want to use.
...test.php?text=hello passes data via the GET method (accessible via $_GET in the processing script).
$_POST gets populated by forms or cURL access (when the transfer method is defined as "post")

Beginners PHP Question: What the difference between $_POST and $_FILES?

Beginners PHP Question: What the difference between $_POST and $_FILES?
PHP.net says:
$_POST is an associative array of variables passed to the current script via the HTTP POST method
$_FILES is an associative array of items uploaded to the current script via the HTTP POST method
Could anyone explain what this means in practical terms?
Both $_POST and $_FILES are so called in php "superglobals". They are predefined variables(arrays), which means they are available in all scopes throughout a script. There is no need to declare them to access them within functions or methods.
$_POST contains all the data from forms (except files)
$_FILES contains all files sent to server via forms (only from <input type="file" />)
$_POST and $_FILES are called 'superglobals'.
$_POST contains the data from the form without displaying it in the url address. So it's safe in posting data.
But for files you have to use $_FILES, because files can not be posted using $_POST.
Hope it will work for you.
Both $_POST and $_FILES are so called in php "superglobals".
They are predefined variables(arrays), which means they are available in all scopes throughout a script.
There is no need to declare them to access them within functions or methods.
$_POST contains all the data from forms (except files)
$_FILES contains all files sent to server via forms
(only from )

What are register_globals in PHP?

Can someone give some examples of what register_globals are?
And is global $user_id; considered a register global?
The register_globals directive:
register_globals is an internal PHP setting which registers the $_REQUEST array's elements as variables. If you submit a value in a form, via POST or GET, the value of that input will automatically be accessible via variable in the PHP script, named after the name of the input field.
In other words, if you submitted a form containing a username text field, the expression ($username === $_POST['username']) at the very beginning of the script would return true.
Its notoriety is attributed to the fact that it opens lots of security holes, especially for people that follow anything less than a strict coding style from a security perspective.
Classic example:
if(user_is_admin($user))
{
$authorized = true;
}
if($authorized)
{
// let them do anything they want
}
Now, if you visited that script in a web browser and the server had register_globals on, you could simply append ?authorized=1 to the URL and god-mode would be enabled!
The global keyword:
global is a keyword has little to do with register_globals.
Here is an example of its use:
$foo = 'bar';
baz();
function baz()
{
echo $foo; // PHP warns you about trying to use an uninitialized variable
// and nothing is output (because $foo doesn't exist here)
}
buzz();
function buzz()
{
global $foo; // Enables the use of $foo in this scope
echo $foo; // Prints 'bar' to screen
}
Everyone mentioning GET, POST, REQUEST, COOKIE has effect on register_globals=on.
I'm just writing this to let you know that -
$_SESSION will be affected aswell because of register_globals=on.
http://php.net/manual/en/security.globals.php
That means - if you do as following -
$_SESSION[x] = 123;
$x = 'asd';
echo $_SESSION[x];
The output will be asd.
And this will cause serious security issues and bugs. I have experienced such a bad thing recently during using Hostgator shared hosting. By Default they have register_globals=on.
When you have register_globals=on, anything passed via GET or POST or COOKIE automatically appears to be global variable in code, this might have security consequences.
I.e. you click on url test.php?access_level=100 and you'll have $access_level = 100 in PHP.
When you do global $somevar - you are making your own global variable, which usually is not a big issue.
The register_globals setting controls how you access form, server, and environment. variables.
register_globals=On :
You can access form attribute without Global Arrays ( GET[], POST[] & REQUEST[] )
example: http://www.example.com/one.php?myinput=abc
You can access directly in one.php
echo $myinput; // abc
register_globals=Off :
You have to access all attributes only by Global Arrays.
example: http://www.example.com/one.php?myinput=abc
You have to access in one.php
echo $_GET['myinput']; //abc
As I understand it, if you have register globals turned ON, then anything passed in a GET or POST gets automatically translated into a variable in PHP.
for example:
http://www.domain.com/vars.php?myvar=123
without any further coding this would automatically get turned into a variable available to the rest of your php code
$myvar //with a value of 123
With registered globals OFF, data passed in via GET or POST is NOT automatically translated into a variable, rather, you need to request it using the Superglobals $_GET, $_POST, and $_REQUEST, etc.
http://php.net/manual/en/security.globals.php provides some further information as to the security implications of this.
Others can feel free to correct me if I'm wrong.
edit:
in relation to your question re global $user_id;, this does not create a 'global' in the sense of 'register_globals'. It simply alters the scope of a variable within the PHP code.
For information re scope, see: http://php.net/manual/en/language.variables.scope.php
Global variables in php are variables that are always accessible. They are also known as superglobals. They are built in variables that are always available regardless of the scope.
There are nine superglobal variables in PHP. Some of these are relevant to this discussion.
$_REQUEST
$_POST
$_GET
$_COOKIE
Now, let's focus on the $_REQUEST superglobal. It is used to collect data after submitting an HTML form by user using the POST method.
$_POST and $_REQUEST could be used loosely interchangeably. But $_REQUEST also contains $_GET and $_COOKIE along with $_POST so you are never sure if your data came from a web form.
Now, as pointed out by #Tim register_globals is an internal PHP setting which registers the $_REQUEST array's elements as variables. It is also known as a flag in your php setting. It is typically set in the PHP configuration file known as php.ini file. This setting can have two values.
“on”
“off”.
An “on” value means that PHP will automatically create global variables for many server variables as well as query string parameters. This is not good and is a security risk.
Register Globals :
register_globals
The feature causes data passed to a PHP script via cookies or GET and POST requests to be made available as global variables in the script.
Default Value : "0"
Changeable : PHP_INI_PERDIR
register_globals is affected by the variables_order directive.
NOTE:
This feature has been DEPRECATED as of PHP 5.3.0 and REMOVED as of PHP 5.4.0.
register_globals is one of the parameters of php.ini file.The file was coming from "On" mode before PHP 5.3.8 version.If you change register_globals from Off to On, there would be some criticals about vulnerability of website.Register_globals's feature is that you can use variables without $_GET and $_POST variables.So, Any data which comes from form or URL line you can use the variable not need like $_GET or $_POST variables.Example we have this form :
<?php
if(isset($_POST["myinput"])){
echo $_POST["username"];
}?>
<form action="" method="post">
<input type="text" name="username">
<input type="hidden" name="myinput">
<input type="submit" value="Submit">
</form>
When you submitted the form you can see your username but when you change the situation of register_globals to "On" you have not written $_POST["username"]; you can access directly to the username variable by writing this code echo $username

Categories