Local machine vs Real Web Server issues

programming
1

i’m running into a flash and php issue.

in my flash movie i have 3 text fields
source: (type intput)
criteria: (type input)
result: (dynamic type)

and a button with the following code:

on (release) {
	result = "Searching...";
	loadVariables ("search.php", this, "POST");
}

this is my search.php

<?
$result = str_replace($criteria, "<b>$criteria</b>", $source);
print "&result=" . urlencode($result);
?>

ok…here is where i’m getting lost.

if i were to load the contents above from a “real” web server it works just fine.
if i were to load the contents above from a “local” server it does not work.

my apache server setup on my local windows machine is as follows:

Apache/1.3.41 (Win32)
PHP Version 5.2.6
MySQL 5.0.51a
phpMyAdmin - 2.11.6

but if i were to modify my search.php file like so:


<?
$source = stripslashes($HTTP_POST_VARS['source']);
$criteria = stripslashes($HTTP_POST_VARS['criteria']);
$result = str_replace($criteria, "<b>$criteria</b>", $source);
echo "result=$result";
?>

…it works on my windows local apache server just fine.
are there any configurations that need to be done in order for my local machine to behave in the same manner as my real web server?

any help on how to achieve this will greatly be appreciated.
thank you in advance.

2

You must have register_globals set to “on” on the “real” server, which is very insecure. What register_globals does is automatically create a variable using the form field name as the variable name and the value of the form field as the variable value. Where you are using $HTTP_POST_VARS[‘criteria’], what you are doing is accessing an array that PHP automatically creates to store those values.

The danger from having register_globals set to “on” is that you are allowing the public to set the variables in your scripts. With the server settings like this, POST and GET values cannot be checked and validated before you use them.

The way you rewrote the script to work on your local server should still work on the remote server, but event that $HTTP_POST_VARS is deprecated. You should use $_POST[‘formFieldName’] to access variables when you use POST as the method and $_GET[‘formFieldName’] to access variables when you use GET as the method.

What I typically do is use $_POST array to validate anything I need to, and once it passes, I use

extract($_POST);

which splits the $_POST array into individual variables with the same names as the form fields (like having REGISTER_GLOBALS on does automatically).

You can create a phpinfo script very easily.

<?php
phpinfo();
?>

If you save this and pull it up from your server in the browser, it will show you all of your php information such as php version, whether REGISTER_GLOBALS is on or off, magic_quotes setting, and everything else you might need to know about your server as it relates to php.

3

thank you, you’re truly awesome!!!