...

View Full Version : import_request_variables() [function.import-request-variables]: No prefix specified -



babelfish
11-22-2010, 11:40 AM
odd one here for you.

this in on a working timesheet form. i have been asked to stop it saving a timesheet if one has been created on that date already:



if($_POST) {
import_request_variables("p", ""); // p = post, g = get, pg does both

$dupequery = "SELECT id FROM $table_name WHERE uniquecreationid != '$uniquecreationid' AND date_worked = '" . date('Y-m-d',strtotime($date_worked)) . "' AND timesheet_type='$timesheet_type' AND user_worked = '$user_worked'"; //check for another timesheet on that date!
$duperesult = mysql_query($dupequery) or die('<h3>Error - ' . $dupequery . '</h3>');
$duperow = mysql_fetch_array($duperesult, MYSQL_ASSOC);

if(!$duperow) { //no duplicate found so allow to create/save

$query = "SELECT * FROM $table_name WHERE uniquecreationid = '$uniquecreationid'";
$result = mysql_query($query) or die('<h3>Error - ' . $query . '</h3>');
$row = mysql_fetch_array($result, MYSQL_ASSOC);

if($row) { //updates record
$datetimer = date("D d\.m\.y \@ H\:i");
$oldtracking = $tracking;
$tracking = "&rsaquo; $form_name_friendly edited by " . $_SESSION['authusername'] . " - $datetimer<br />$oldtracking";
$query = "UPDATE timesheets SET user_worked = '$user_worked', date_worked = '" . date('Y-m-d',strtotime($date_worked)) . "', hours_worked = '$hours_worked', jobnumber = '$jobnumber', tracking = '$tracking', approved_by = '$approved_by', approved_on = '" . date('Y-m-d',strtotime($approved_on)) . "', approvalflag = 0, night_out = '$night_out', timesheet_type='$timesheet_type', sleeper_cab='$sleeper_cab' WHERE uniquecreationid = '$uniquecreationid'";
mysql_query($query) or die('<h3>Error - ' . $query . '</h3>');
$id = $row['id'];

} else { //create new record
$datetimer = date("D d\.m\.y \@ H\:i");
$tracking = "&rsaquo; $form_name_friendly created by " . $_SESSION['authusername'] . " - $datetimer";
$query = "INSERT INTO timesheets (user_worked, date_worked, hours_worked, jobnumber, tracking, uniquecreationid, approved_by, approved_on, approvalflag, night_out, timesheet_type, sleeper_cab) VALUES ('$user_worked', '" . date('Y-m-d',strtotime($date_worked)) . "', '$hours_worked', '$jobnumber', '$tracking', '$uniquecreationid', '$approved_by' , '" . date('Y-m-d',strtotime($approved_on)) . "', 0, '$night_out', '$timesheet_type', '$sleeper_cab')";
mysql_query($query) or die('<h3>Error - ' . $query . '</h3>');
$holidayid = mysql_insert_id();
$id = mysql_insert_id();

//email manager if holiday....
if($timesheet_type == "Holiday" && $user_worked != "BANK HOLIDAY") {
$holidayemail = str_replace(" ", ".", $user_worked) . $companydomain ;
$to = getInRole('role_MGR','Email');
$subject = "Holiday approval required for $user_worked";
$message = "<html> ".
"<body style='font-family:Verdana, Arial, Helvetica, sans-serif; font-size:11px; color:#4b4f50'>" .
"<p>This is a link to the holiday in the $companyname Management System:<br />" .
"<a href='http://" . $_SERVER['SERVER_NAME']. "/$dbname/timesheet.php?id=$holidayid' style='color:#f8971d; text-decoration:none;' target='_blank'>Click here</a></p>" .
$message .= "</body></html>";
$headers = "From: $holidayemail\r\n";
$headers .= "Content-type: text/html; charset=utf-8\r\n";
//options to send to cc+bcc
$headers .= "Cc: $holidayemail";
//$headers .= "Bcc: email@maaking.cXom";
// now lets send the email.
mail($to, $subject, $message, $headers);
}
}
mysql_free_result($result);

//open up the page via get, so stop caching errors!
header("Location: $page_name.php?id={$id}");
exit;

} else {
$dupetimesheet = true;
}
mysql_free_result($duperesult);
}


now, the new section that was added was this bit:



$dupequery = "SELECT id FROM $table_name WHERE uniquecreationid != '$uniquecreationid' AND date_worked = '" . date('Y-m-d',strtotime($date_worked)) . "' AND timesheet_type='$timesheet_type' AND user_worked = '$user_worked'"; //check for another timesheet on that date!
$duperesult = mysql_query($dupequery) or die('<h3>Error - ' . $dupequery . '</h3>');
$duperow = mysql_fetch_array($duperesult, MYSQL_ASSOC);

if(!$duperow) { //no duplicate found so allow to create/save



(and closes off correctly obviously)

for some reason if the search finds $duperow i get an error message about:



Notice: import_request_variables() [function.import-request-variables]: No prefix specified - possible security hazard in C:\Zendserver\Apache2\htdocs


which to me doesnt make sense as that line is before the newer code. and will execute ok, also, it does work and pulls down the post values into $variables

i wonder if its just a bug??

Inigoesdr
11-22-2010, 03:14 PM
You get the error because import_request_variables() (http://php.net/import_request_variables) is unsafe. It's basically like turning on register_globals. You are supposed to specify a prefix to negate the security risk of overwriting some of your variables. It's not a bug either, if you check the manual page (http://php.net/import_request_variables) it mentions in the description of the prefix argument:

Note:

Although the prefix parameter is optional, you will get an E_NOTICE level error if you specify no prefix, or specify an empty string as a prefix. This is a possible security hazard. Notice level errors are not displayed using the default error reporting level.

babelfish
11-22-2010, 03:24 PM
i use that code everywhere though, yet fomr some reason after that little new lookup i now get the message, i dont get it anywhere else!

ok, so its doing what it should but why dont i get that error anywhere else?

since im using this for an intranet i dont see the need for the same security as i would on the internet.

babelfish
11-22-2010, 03:40 PM
update - if i remove the prefix section i no longer get the message. its odd as i use that on every form yet only that form gave the error message.



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum