phpsqlphpbb

Illegal use of $_REQUEST. You must use the request class or request_var() to access input data


Bit out of my depth here. I'm integrating the forum provider 'phpBB' with my own site and creating an external direct messaging system to phpBB itself. I'm at the stage where I'm receiving this error:

Warning: Cannot modify header information - headers already sent by (output started at /home/treeves4/public_html/pm/pm/new_pm.php:25) in /home/treeves4/public_html/pm/pm/phpBB/includes/functions.php on line 2474

Illegal use of $_REQUEST. You must use the request class or request_var() to access input data. Found in /home/treeves4/public_html/pm/pm/new_pm.php on line 43. This error message was generated by deactivated_super_global.

I've tried $_POST and that also doesn't work. Using $_REQUEST_VAR doesn't raise any errors, but it breaks the script and nothing happens when information is submitted.

The PHP file:

<?php
include('config.php');

define('IN_PHPBB', true);
$phpbb_root_path = './phpBB/';
$phpEx = substr(strrchr(__FILE__, '.'), 1);
include($phpbb_root_path . 'common.' . $phpEx);

// Start session management
$user->session_begin();
$auth->acl($user->data);
$user->setup('ucp');


$_SESSION['userid'] = $user->data['user_id'];
$_SESSION['username'] = $user->data['username'];
?>
<?php
include('config.php');
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
    <head>
        <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
        <link href="<?php echo $design; ?>/style.css" rel="stylesheet" title="Style" />
        <title>New PM</title>
    </head>
    <body>
        <div class="header">
                <a href="<?php echo $url_home; ?>"><img src="<?php echo $design; ?>/images/logo.png" alt="Members Area" /></a>
        </div>
<?php
//We check if the user is logged on
if(isset($_SESSION['username']))
{
$form = true;
$otitle = '';
$orecip = '';
$omessage = '';
//We check if the form has been sent
if(isset($_REQUEST['title'], $_REQUEST['recip'], $_REQUEST['message']))
{
        $otitle = $_REQUEST['title'];
        $orecip = $_REQUEST['recip'];
        $omessage = $_REQUEST['message'];
        //We remove slashes depending on the configuration
        if(get_magic_quotes_gpc())
        {
                $otitle = stripslashes($otitle);
                $orecip = stripslashes($orecip);
                $omessage = stripslashes($omessage);
        }
        //We check if all the fields are filled
        if($_REQUEST['title']!='' and $_REQUEST['recip']!='' and $_REQUEST['message']!='')
        {
                //We protect the variables
                $title = mysql_real_escape_string($otitle);
                $recip = mysql_real_escape_string($orecip);
                $message = mysql_real_escape_string(nl2br(htmlentities($omessage, ENT_QUOTES, 'UTF-8')));
                //We check if the recipient exists
                $dn1 = mysql_fetch_array(mysql_query('SELECT count(user_id) as recip, user_id as recipid, (select count(*) from pm) as npm 
                              FROM phpbb_users
                              WHERE username = "'.$recip.'"'));
                if($dn1['recip']==1)
                {
                        //We check if the recipient is not the actual user
                        if($dn1['recipid']!=$_SESSION['userid'])
                        {
                                $id = $dn1['npm']+1;
                                //We send the message
                                if(mysql_query('insert into pm (id, id2, title, user1, user2, message, timestamp, user1read, user2read)values("'.$id.'", "1", "'.$title.'", "'.$_SESSION['userid'].'", "'.$dn1['recipid'].'", "'.$message.'", "'.time().'", "yes", "no")'))
                                {
?>
<div class="message">The message has successfully been sent.<br />
<a href="list_pm.php">List of my Personal messages</a></div>
<?php
                                        $form = false;
                                }
                                else
                                {
                                        //Otherwise, we say that an error occured
                                        $error = 'An error occurred while sending the message';
                                }
                        }
                        else
                        {
                                //Otherwise, we say the user cannot send a message to himself
                                $error = 'You cannot send a message to yourself.';
                        }
                }
                else
                {
                        //Otherwise, we say the recipient does not exists
                        $error = 'The recipient does not exists.';
                }
        }
        else
        {
                //Otherwise, we say a field is empty
                $error = 'A field is empty. Please fill of the fields.';
        }
}
elseif(isset($_GET['recip']))
{
        //We get the username for the recipient if available
        $orecip = $_GET['recip'];
}
if($form)
{
//We display a message if necessary
if(isset($error))
{
        echo '<div class="message">'.$error.'</div>';
}
//We display the form
?>
<div class="content">
        <h1>New Personal Message</h1>
    <form action="new_pm.php" method="post">
                Please fill the following form to send a Personal message.<br />
        <label for="title">Title</label><input type="text" value="<?php echo htmlentities($otitle, ENT_QUOTES, 'UTF-8'); ?>" id="title" name="title" /><br />
        <label for="recip">Recipient<span class="small">(Username)</span></label><input type="text" value="<?php echo htmlentities($orecip, ENT_QUOTES, 'UTF-8'); ?>" id="recip" name="recip" /><br />
        <label for="message">Message</label><textarea cols="40" rows="5" id="message" name="message"><?php echo htmlentities($omessage, ENT_QUOTES, 'UTF-8'); ?></textarea><br />

        <input type="submit" value="Send" />
    </form>
</div>
<?php
}
}
else
{
        echo '<div class="message">You must be logged to access this page.</div>';
}
?>
                <div class="foot"><a href="list_pm.php">Go to my Personal messages</a> - <a href="http://www.webestools.com/">Webestools</a></div>
        </body>
</html>

Solution

  • I believe that 'superglobals' is disabled in the php.ini and $_GET, $_POST and $_REQUEST are not available.

    You might be able to pull them into scope by declaring them using the 'global' keyword, but I'm not sure.

    global $_POST;
    

    Based on the error message you quoted: use request_var().

    https://wiki.phpbb.com/Function.request_var

    http://php.net/manual/en/reserved.variables.request.php

    Docs say: This is a 'superglobal', or automatic global, variable. This simply means that it is available in all scopes throughout a script. There is no need to do global $variable; to access it within functions or methods.

    http://php.net/manual/en/language.variables.superglobals.php