Seems my SQL is out of date?

[Mirage]

I found back ups of websites I did around 3-4 years ago. I'm only just getting back into coding etc and wondered if someone could help me.

I noticed that I now need to use ` instead of nothing or a ', for example creating a database from an old SQL dump just didnt work. I had to go through and add a ` around the table name and row names like below:

From:

CREATE TABLE leagues (
  l_id int(11)  DEFAULT '0' NOT NULL auto_increment,
  l_name varchar(15)  DEFAULT '0' NOT NULL ,
  l_url varchar(100)  DEFAULT '0' NOT NULL ,
  PRIMARY KEY (l_id)
);

To:

CREATE TABLE `leagues` (
`l_id` INT( 11 ) NOT NULL AUTO_INCREMENT PRIMARY KEY ,
`l_name` VARCHAR( 15 ) NOT NULL ,
`l_url` VARCHAR( 100 ) NOT NULL 
) TYPE = MYISAM ;

After some editing I finally got the site up but I'm receiving the following error:

Error(news_sql) : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1

Relating to the following:

$news_sql = mysql_query( "SELECT * FROM news WHERE n_id = $p_id" )
	or die( "Error(news_sql) : " . mysql_error()

While I understand I could re-write everything I'm sure I could install an older version of MySQL or something to get this working? Anyone?

 

[Mirage]

Nevermind, seems its down to register_globals. Would have to go through it all and change it to $_GET[]

 

[Beansprout]

Nonononono use htaccess

.htaccess files are nifty files which Apache checks for setting overrides on a per-directory basis.

In 99% of cases you can create a .htaccess file with the following:

php_flag register_globals On

And put it in the necessary directory

 

[Mirage]

You are a star BeanSprout, that has fixed everything .

Now to just code a new site workable with register_globals on .

 

[Beansprout]

Turning register_globals on for anything which doesn't expect it can be a huge security risk. Example:

<?php

$allowed = array("index","about","contact");

if(in_array($_GET['foo'],$allowed)) {

    $page = $_GET['foo'].'.php';

}

include $page;

?>

What this is doing is showing a different page based on a GET parameter called foo. Handy and commonly used if you want to have one file, but work with multiple pages. So /page.php?foo=index would show the index page, /page.php?foo=about would show the about page, and so on.

The in_array() part checks that the value of foo is in the array of allowed page names, $allowed, so that people can't view any page they like - if it's not in the array it doesn't pass the if, so $page doesn't get set so long as register_globals is off.

But if register_globals is on then all GET/POST variables are automatically registered. Which in English means that someone could request /page.php?page=config.inc and, because $page isn't checked anywhere, the file would be included and visible. Which means naughty people can see lots of stuff they shouldn't.

So what you should do is something like this - explicitly set $page to an empty string:

<?php

$page = "";
//Set $page to an empty string

$allowed = array("index","about","contact");

if(in_array($_GET['foo'],$allowed)) {

    $page = $_GET['foo'].'.php';

}

include $page;

?>

Or, of course, something like this would be even neater - only include $page right after it's been definitely defined. If $_GET['foo'] doesn't match then nothing will happen as there's nothing outside the if statement:

<?php

$allowed = array("index","about","contact");

if(in_array($_GET['foo'],$allowed)) {

    $page = $_GET['foo'].'.php';
    include $page;

}

?>

Hope that's useful and correct

 

[Mirage]

That's a great help. My current site uses page= and action= type scripting, along with some other huge security risks which I just wasnt aware of back when I started years ago.
I'm just thinking of a new project to work on to bring my PHP/SQL skills up to line from what things were like 3-5 years ago.

These forums and Robs Security page has been a great help though .