Capturing a URL parameter and using it to generate an include_once

long time web site working for years suddenly stops working

the urls are all like this – http://r937.com/index.php?mid=5

the mid number is supposed to be picked up in the index.php code and used to generate an include_once where the file to include is 0.php, 1.php, 2.php. etc.

recently it stopped working, and all links defaults to mid=0, the home page

so all the links look like they’re working (they’re in the address bar okay) but it always displays only 0.php

i am ~not~ a php coder so i don’t really know what could be causing this

anyone able to offer suggestions where to look? here’s the relevant code –

<?php

 if(!$mid){
  $mid='0';
 }
 if(!$smid){
  $smid="";
 }
 
	if($smid != ""){
		$pageNum = $mid."_".$smid;
	}else{
		$pageNum = $mid;
	}

	include_once("html/$pageNum.php"); 

?>

What changed?

I don’t see where you get $mid.
As in $_GET['mid']

nothing

that particular line was never there, and yet the technique used to work

i did not write the code but it is ~many~ years old… did php behave differently in earlier versions?

i’ll try inserting this GET in a minute… anything else i should look out for?

I would expect to see something like:-

if(isset($_GET['mid'])) { $mid = (int) $_GET['mid']; }
else{ $mid = '0'; }
1 Like

You would need to ask someone older who has been doing php longer than me.
I thought you need get or request to define the variable in the script, but I may be wrong.

No server upgrades?

this worked! i am so chuffed!!

thanks for your prompt help!!

1 Like

Because $mid worked before without its being assigned a GET value it is most ikely it had global scope. Variables with global scope can cause various problems including potential security vulnerability.
I suspect the change was made silently by the host (ini config setting?) for security reasons.

thanks, that makes sense

as i said, i’m not a php guy, my only experience in dynamic coding is coldfusion

So in such a case a variable can be defined from a url string without the programmer explicitly telling that to happen or validating that input? :eek:

I was under the impression that register_globals was a thing of the past, but the described problem sure seems like that is what is involved.
http://php.net/manual/en/security.globals.php

1 Like

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.