p2p.wrox.com Forums

Need to download code?

View our list of code downloads.


  Return to Index  

beginning_php thread: Help Please!


Message #1 by jeb_braun@i... on Mon, 1 Apr 2002 09:49:03
Hi I just started with PHP4 maybe a week ago. I couldn't set up PHP on my 
computer properly so I downloaded a program to do it for me. Everything 
uptil page 83(Using a Check Box) worked fine. But when I run the Check box 
script and leave the box unchecked it gives me the following "Warning: 
Undefined variable: Choice1 in C:\Inetpub\wwwroot\learning\checkbox.php on 
line 7"
I don't think its the code because I copied it exactly how the book said. 
Any help would be get. Thanks.
Message #2 by Empier4552@a... on Mon, 1 Apr 2002 07:05:56 EST
--part1_b2.9262845.29d9a724_boundary
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit

In a message dated 4/1/2002 3:42:40 AM Eastern Standard Time, 
jeb_braun@i... writes:


> I don't think its the code because I copied it exactly how the book said. 
> Any help would be get. Thanks.

Are you positive? Check for a misisng ; or perhaps some other little detail 
people can swear by their code only to discover two hours later some missing 
; or ?> etc in their mass of code.

Message #3 by "Lawrence" <lkrubner@g...> on Mon, 1 Apr 2002 12:46:21 -0500
From: <jeb_braun@i...>
> Hi I just started with PHP4 maybe a week ago. I couldn't set up PHP on my
> computer properly so I downloaded a program to do it for me. Everything
> uptil page 83(Using a Check Box) worked fine. But when I run the Check box
> script and leave the box unchecked it gives me the following "Warning:
> Undefined variable: Choice1 in C:\Inetpub\wwwroot\learning\checkbox.php on
> line 7"
> I don't think its the code because I copied it exactly how the book said.
> Any help would be get. Thanks

The first thing that comes to my mind are the recent changes in PHP, done for security reasons. When
the book was written, any form input that was submitted automatically became a global variable.
Since PHP 4.1, the automatic global thing is turned off by default. That is, you need to declare the
variable yourself.

Put up a page that looks like this:

<?php
phpinfo();
?>

Point your browser at this. See what info you get back. Are globals on or off?





Message #4 by "Nikolai Devereaux" <yomama@u...> on Mon, 1 Apr 2002 12:14:30 -0800
This is most likely the problem, but it might help to add this:

Look in your php.ini file for register_globals.

This needs to be "on" for you to use form input as variables in global
scope.

For more information about the "security issues" briefly mentioned, check
out
  http://www.php.net/manual/en/security.registerglobals.php



Take care,

Nik

Message #5 by jeb_braun@i... on Mon, 1 Apr 2002 22:55:55
Globals are and were on. What else could it be. Thanks for the help.

Here is the code

<html>
<head></head>
<body>
<FORM Method=POST ACTION="checkbox.php">
Have you ever eaten haggis before?
<INPUT NAME="Choice1" TYPE="Checkbox" VALUE="haggis">
<br>
Have you ever eaten snails before?
<INPUT NAME="Choice2" TYPE="Checkbox" VALUE="snails">
<br>
Have you ever eaten Locusts Before?
<INPUT NAME="Choice3" TYPE="Checkbox" VALUE="Locusts">
<br>
<br>
<INPUT TYPE=Submit>
</form>
</body>
</html>


<html>
<head>
</head>
<body>
<?php
echo "$Choice1<BR>" ;
echo "$Choice2<BR>" ;
echo "$Choice3<BR>" ;
?>
</body>
</html>
Message #6 by "seanin" <seanin@t...> on Mon, 1 Apr 2002 23:23:42 +0100
Hi this is a reply I got when I had the same problem (answer by Andy
Vaughan)
It solved my problem.......
Sean

*************************
Hi everyone,

I had the same problem.

It wasn't until I got to page 204 (only 110 pages later than the example!)
that I worked out what was going on. Talking about passing parameters, it
mentioned that ... "You may get warnings depending upon which version of
PHP you're using, and PHP's error reporting configuration."

I looked though my php.ini file (I'm running windows, so it was in my
c:\windows folder), looked down until I found a section on "Error handling
and logging" and then looked for anything which may be causing the
warnings. The line was:

error_reporting= E_ALL; display all errors, warnings and notices

Above it are a whole list of settings for the error_reporting item. E_ALL
complains at just about anything, regardless of whether it's a real
problem or not. In this case it flagged up an undefined variable.

I commented the line out and the example worked fine. Obviously, it's best
to experiment with the different values rather than commenting the line
out altogether, but if proved to me that it was the error reporting
settings which were causing the problem.

Hope that helps!

Andy))))))))
*********************

----- Original Message -----
From: <jeb_braun@i...>
To: "beginning php" <beginning_php@p...>
Sent: Monday, April 01, 2002 9:49 AM
Subject: [beginning_php] Help Please!


> Hi I just started with PHP4 maybe a week ago. I couldn't set up PHP on my
> computer properly so I downloaded a program to do it for me. Everything
> uptil page 83(Using a Check Box) worked fine. But when I run the Check box
> script and leave the box unchecked it gives me the following "Warning:
> Undefined variable: Choice1 in C:\Inetpub\wwwroot\learning\checkbox.php on
> line 7"
> I don't think its the code because I copied it exactly how the book said.
> Any help would be get. Thanks.


Message #7 by "Nikolai Devereaux" <yomama@u...> on Mon, 1 Apr 2002 15:38:54 -0800
This is horrible!

> error_reporting= E_ALL; display all errors, warnings and notices
>
> Above it are a whole list of settings for the error_reporting item. E_ALL
> complains at just about anything, regardless of whether it's a real
> problem or not. In this case it flagged up an undefined variable.
>
> I commented the line out and the example worked fine. Obviously, it's best
> to experiment with the different values rather than commenting the line
> out altogether, but if proved to me that it was the error reporting
> settings which were causing the problem.

"regardless of whether it's a real problem or not."  WTF??  Who is this guy?
Who's paying him to develop THEIR websites?  We could probably exploit them!

Error reporting is used to clue you in on possible problems in your code.
That the default value for error_reporting in php.ini was raised from (E_ALL
& ~E_NOTICE) to just (E_ALL) should not just be discarded as a meaningless
annoyance.

I highly suggest that everyone read through the PHP security section of the
manual to get an idea of the reasons behind the annoying decisions. =)

In particular, these two back-to-back pages are most useful for this thread.
http://www.php.net/manual/en/security.errors.php
http://www.php.net/manual/en/security.registerglobals.php


Take care,

Nik

Message #8 by jeb_braun@i... on Tue, 2 Apr 2002 11:22:51
Still haven't got it to work. Is there a better installer I could use? I 
used the one from php.net. Is there anything anyone can think of. If you 
need any info that might help just ask. PLEASE HELP! Thanks!
Message #9 by "Nikolai Devereaux" <yomama@u...> on Tue, 2 Apr 2002 09:42:03 -0800
Okay, re-reading the posts in the thread, I realize that we started
answering the wrong problem...  Instead of it being a register_globals-based
problem, it was, as Sean posted, an error_reporting-based problem.


Two answers were posted to your problem, if you knew where to look.

The first answer was from Sean, specifically this line:
> error_reporting= E_ALL; display all errors, warnings and notices

The next answer came via two links from me:
> In particular, these two back-to-back pages
> are most useful for this thread.
>    http://www.php.net/manual/en/security.errors.php
>    http://www.php.net/manual/en/security.registerglobals.php



There's been a bunch of posts recently about this "problem".  Most of them
started with the release of PHP 4.1.0 when they made a few changes to the
default values in the configuration file for security purposes.

That's why I sent two relevant links to the php site... so you'd understand
the WHY behind why your script generates warnings, and not just sean's
suggested fix.


Take care,

Nik

Message #10 by "Dan Ostrowski" <dan@t...> on Wed, 3 Apr 2002 18:29:04
umm...

unless i am totally stupid, which is a possiblity, i don't think that 
checkbox variables are sent like textbox ones - ie. regardless of value. 

If you don't check a checkbox, it's variable is not sent.

maybe i am answering the wrong question here...

dan
Message #11 by "Nikolai Devereaux" <yomama@u...> on Wed, 3 Apr 2002 09:55:39 -0800
Nono, that's correct.

(Not that you're stupid; checkbox values are only sent if they're "on")

Man, I suck lately!
Message #12 by jeb_braun@i... on Thu, 4 Apr 2002 07:30:00
So your saying I'm suppose to edit my php.ini file? Becuase when I have it 
like seanin said to have it then the errors go away. And if the answers to 
solve my problem where on those pages on php.net then I must have missed 
them when I read them.
Message #13 by "Nikolai Devereaux" <yomama@u...> on Thu, 4 Apr 2002 09:09:03 -0800
> So your saying I'm suppose to edit my php.ini file? Becuase when
> I have it like seanin said to have it then the errors go away.

Hmm... okay.  Lemme explain.

The error_reporting level in php.ini does one thing:  It allows you to
specify what kinds of problems it will tell you about in your script, or
tell you where POTENTIAL problems exist (warnings).  This doesn't mean _ALL_
problems, these are just problems that the PHP parser can identify.

You're getting warnings because you're using a variable from a checkbox
field without ever checking to see if it's set yet.  The reason is because a
checkbox will only submit its value if it's checked (the value sent is "on"
I believe).

So if your script has this:

  echo "The value of the checkbox is " . $checkbox;

and your error_reporting = E_ALL, then you'll get the warning that $checkbox
is being used before its defined.

> And if the answers to solve my problem where on those pages on
> php.net then I must have missed them when I read them.

I've said it before on this list, and I'll say it again.  I think that you
should develop your scripts with error_reporting set to E_ALL, and when
you're sure that your scripts are clean enough and provide decent error
checking, then you should deploy your scripts with error_reporting set to
something much less severe.  This is mentioned here on the php.net site:

< http://www.php.net/manual/en/security.errors.php >
One way of catching this issue ahead of time is to make use of PHP's own
error_reporting(), to help you secure your code and find variable usage that
may be dangerous. By testing your code, prior to deployment, with E_ALL, you
can quickly find areas where your variables may be open to poisoning or
modification in other ways. Once you are ready for deployment, by using
E_NONE, you insulate your code from probing.
</ http://www.php.net/manual/en/security.errors.php >


The reason I posted the security.registerglobals.php link is because with
the release of php 4.1.0, register_globals was by default OFF, whereas
beforehand they were ON.  This kinda sucks, since there is a LOT of printed
material out there which have a bunch of people write scripts assuming that
form data and stuff are all automatically global variables.

It's funny how many "experts" wrote books about PHP, but their code doesn't
work out of the box.  It's not really their fault, of course, but it proves
a point -- most people didn't know how vulnerable their code was to
malicious users until the guys developing PHP figured out how much
vulnerable code was out there, and did something to raise awareness of it.

I'm guilty, too -- please don't assume I'm scoffing at these authors and
saying "I know more than you, why didn't I get the book deal?"  Far from
it -- I'm almost glad I didn't, because then _I'd_ be the one everyone's
pointing fingers at because my code doesn't work anymore.

What sucks about the change is that the PHP guys said that it's bad to
assume that form inputs are global variables, and that you should access
them via their predefined GET, POST, and COOKIE arrays.  But in the same
step, they deprecated the original arrays ($HTTP_xxx_VARS) and introduced
their new "superglobal" couterparts, the $_xxx versions.

So even if you *DID* write a bunch of code the "safe" way, there's no
guarantee that your existing code will work down the line.  You can't just
search n' replace all instances of $HTTP_xxx_VARS with $_xxx, because every
function that uses them has to import them into global scope with the
"global" keyword.  So that's probably going to be a parse error or
something, I dunno.  But that is a LOT easier than trying to make a project
that assumed register_globals was on and then trying to convert it to be
register_globals = off compliant.


The whole point is that if you're writing a new application, write it as
safely and using the strictest of rules, and it'll have the longest shelf
life possible.  If you do what Sean said and simply comment out the
error_reporting line in php.ini, you're simply ignoring the problem.

It's like peeling the label off the whiskey bottle before you drink it and
saying that you're not an alcoholic.



Take care,

Nik


  Return to Index