Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 4 of 4
  1. #1
    Regular Coder
    Join Date
    Jun 2002
    Location
    England =)
    Posts
    523
    Thanks
    26
    Thanked 0 Times in 0 Posts

    import_request_variables() [function.import-request-variables]: No prefix specified -

    odd one here for you.

    this in on a working timesheet form. i have been asked to stop it saving a timesheet if one has been created on that date already:

    PHP Code:
        if($_POST) {
            
    import_request_variables("p"""); // p = post, g = get,  pg does both

            
    $dupequery "SELECT id FROM $table_name WHERE uniquecreationid != '$uniquecreationid' AND date_worked = '" date('Y-m-d',strtotime($date_worked)) . "' AND timesheet_type='$timesheet_type' AND user_worked = '$user_worked'"//check for another timesheet on that date!
            
    $duperesult mysql_query($dupequery) or die('<h3>Error - ' $dupequery '</h3>');
            
    $duperow mysql_fetch_array($duperesultMYSQL_ASSOC);
            
            if(!
    $duperow) { //no duplicate found so allow to create/save

                
    $query "SELECT * FROM $table_name WHERE uniquecreationid = '$uniquecreationid'";
                
    $result mysql_query($query) or die('<h3>Error - ' $query '</h3>');
                
    $row mysql_fetch_array($resultMYSQL_ASSOC);
                
                if(
    $row) { //updates record
                    
    $datetimer date("D d\.m\.y \@ H\:i");
                    
    $oldtracking $tracking;
                    
    $tracking "&rsaquo; $form_name_friendly edited by " $_SESSION['authusername'] . " - $datetimer<br />$oldtracking";
                    
    $query "UPDATE timesheets SET user_worked = '$user_worked',  date_worked = '" date('Y-m-d',strtotime($date_worked)) . "', hours_worked = '$hours_worked', jobnumber = '$jobnumber', tracking = '$tracking', approved_by = '$approved_by', approved_on = '" date('Y-m-d',strtotime($approved_on)) . "', approvalflag = 0, night_out = '$night_out', timesheet_type='$timesheet_type', sleeper_cab='$sleeper_cab' WHERE uniquecreationid = '$uniquecreationid'";
                    
    mysql_query($query) or die('<h3>Error - ' $query '</h3>');
                    
    $id $row['id'];
                        
                } else { 
    //create new record
                    
    $datetimer date("D d\.m\.y \@ H\:i");
                    
    $tracking "&rsaquo; $form_name_friendly created by " $_SESSION['authusername'] . " - $datetimer";
                    
    $query "INSERT INTO timesheets (user_worked, date_worked, hours_worked, jobnumber, tracking, uniquecreationid, approved_by, approved_on, approvalflag, night_out, timesheet_type, sleeper_cab) VALUES ('$user_worked', '" date('Y-m-d',strtotime($date_worked)) . "', '$hours_worked', '$jobnumber', '$tracking', '$uniquecreationid', '$approved_by' , '" date('Y-m-d',strtotime($approved_on)) . "', 0, '$night_out', '$timesheet_type', '$sleeper_cab')";
                    
    mysql_query($query) or die('<h3>Error - ' $query '</h3>');
                    
    $holidayid mysql_insert_id();
                    
    $id mysql_insert_id();
                    
                    
    //email manager if holiday....
                    
    if($timesheet_type == "Holiday" && $user_worked != "BANK HOLIDAY") {
                        
    $holidayemail str_replace(" ""."$user_worked) . $companydomain ;
                        
    $to getInRole('role_MGR','Email');
                        
    $subject "Holiday approval required for $user_worked";
                        
    $message "<html> ".
                        
    "<body style='font-family:Verdana, Arial, Helvetica, sans-serif; font-size:11px; color:#4b4f50'>" .
                        
    "<p>This is a link to the holiday in the $companyname Management System:<br />" .
                        
    "<a href='http://" $_SERVER['SERVER_NAME']. "/$dbname/timesheet.php?id=$holidayid' style='color:#f8971d; text-decoration:none;' target='_blank'>Click here</a></p>" .
                        
    $message .= "</body></html>";
                        
    $headers  "From: $holidayemail\r\n";
                        
    $headers .= "Content-type: text/html; charset=utf-8\r\n";
                        
    //options to send to cc+bcc 
                        
    $headers .= "Cc: $holidayemail";
                        
    //$headers .= "Bcc: [email]email@maaking.cXom[/email]"; 
                        // now lets send the email. 
                        
    mail($to$subject$message$headers);
                    }
                }
                
    mysql_free_result($result);
            
                
    //open up the page via get, so stop caching errors!
                
    header("Location: $page_name.php?id={$id}");
                exit;
                
            } else {
                
    $dupetimesheet true;
            }
            
    mysql_free_result($duperesult);
        } 
    now, the new section that was added was this bit:

    PHP Code:
            $dupequery "SELECT id FROM $table_name WHERE uniquecreationid != '$uniquecreationid' AND date_worked = '" date('Y-m-d',strtotime($date_worked)) . "' AND timesheet_type='$timesheet_type' AND user_worked = '$user_worked'"//check for another timesheet on that date!
            
    $duperesult mysql_query($dupequery) or die('<h3>Error - ' $dupequery '</h3>');
            
    $duperow mysql_fetch_array($duperesultMYSQL_ASSOC);
            
            if(!
    $duperow) { //no duplicate found so allow to create/save 
    (and closes off correctly obviously)

    for some reason if the search finds $duperow i get an error message about:

    Code:
    Notice: import_request_variables() [function.import-request-variables]: No prefix specified - possible security hazard in C:\Zendserver\Apache2\htdocs
    which to me doesnt make sense as that line is before the newer code. and will execute ok, also, it does work and pulls down the post values into $variables

    i wonder if its just a bug??
    "They hired me for my motivational skills. Everyone at work says they have to work much harder when I`m around" Homer J Simpson

  • #2
    Super Moderator Inigoesdr's Avatar
    Join Date
    Mar 2007
    Location
    Florida, USA
    Posts
    3,642
    Thanks
    2
    Thanked 405 Times in 397 Posts
    You get the error because import_request_variables() is unsafe. It's basically like turning on register_globals. You are supposed to specify a prefix to negate the security risk of overwriting some of your variables. It's not a bug either, if you check the manual page it mentions in the description of the prefix argument:
    Note:

    Although the prefix parameter is optional, you will get an E_NOTICE level error if you specify no prefix, or specify an empty string as a prefix. This is a possible security hazard. Notice level errors are not displayed using the default error reporting level.

  • #3
    Regular Coder
    Join Date
    Jun 2002
    Location
    England =)
    Posts
    523
    Thanks
    26
    Thanked 0 Times in 0 Posts
    i use that code everywhere though, yet fomr some reason after that little new lookup i now get the message, i dont get it anywhere else!

    ok, so its doing what it should but why dont i get that error anywhere else?

    since im using this for an intranet i dont see the need for the same security as i would on the internet.
    "They hired me for my motivational skills. Everyone at work says they have to work much harder when I`m around" Homer J Simpson

  • #4
    Regular Coder
    Join Date
    Jun 2002
    Location
    England =)
    Posts
    523
    Thanks
    26
    Thanked 0 Times in 0 Posts
    update - if i remove the prefix section i no longer get the message. its odd as i use that on every form yet only that form gave the error message.
    "They hired me for my motivational skills. Everyone at work says they have to work much harder when I`m around" Homer J Simpson


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •