Illegal use of $_REQUEST. You must use the request class or request_var() to access input data

Question

Bit out of my depth here. I'm integrating the forum provider 'phpBB' with my own site and creating an external direct messaging system to phpBB itself. I'm at the stage where I'm receiving this error:

Warning: Cannot modify header information - headers already sent by (output started at /home/treeves4/public_html/pm/pm/new_pm.php:25) in /home/treeves4/public_html/pm/pm/phpBB/includes/functions.php on line 2474

Illegal use of $_REQUEST. You must use the request class or request_var() to access input data. Found in /home/treeves4/public_html/pm/pm/new_pm.php on line 43. This error message was generated by deactivated_super_global.

I've tried $_POST and that also doesn't work. Using $_REQUEST_VAR doesn't raise any errors, but it breaks the script and nothing happens when information is submitted.

The PHP file:

<?php
include('config.php');

define('IN_PHPBB', true);
$phpbb_root_path = './phpBB/';
$phpEx = substr(strrchr(__FILE__, '.'), 1);
include($phpbb_root_path . 'common.' . $phpEx);

// Start session management
$user->session_begin();
$auth->acl($user->data);
$user->setup('ucp');


$_SESSION['userid'] = $user->data['user_id'];
$_SESSION['username'] = $user->data['username'];
?>
<?php
include('config.php');
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
    <head>
        <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
        <link href="<?php echo $design; ?>/style.css" rel="stylesheet" title="Style" />
        <title>New PM</title>
    </head>
    <body>
        <div class="header">
                <a href="<?php echo $url_home; ?>"><img src="<?php echo $design; ?>/images/logo.png" alt="Members Area" /></a>
        </div>
<?php
//We check if the user is logged on
if(isset($_SESSION['username']))
{
$form = true;
$otitle = '';
$orecip = '';
$omessage = '';
//We check if the form has been sent
if(isset($_REQUEST['title'], $_REQUEST['recip'], $_REQUEST['message']))
{
        $otitle = $_REQUEST['title'];
        $orecip = $_REQUEST['recip'];
        $omessage = $_REQUEST['message'];
        //We remove slashes depending on the configuration
        if(get_magic_quotes_gpc())
        {
                $otitle = stripslashes($otitle);
                $orecip = stripslashes($orecip);
                $omessage = stripslashes($omessage);
        }
        //We check if all the fields are filled
        if($_REQUEST['title']!='' and $_REQUEST['recip']!='' and $_REQUEST['message']!='')
        {
                //We protect the variables
                $title = mysql_real_escape_string($otitle);
                $recip = mysql_real_escape_string($orecip);
                $message = mysql_real_escape_string(nl2br(htmlentities($omessage, ENT_QUOTES, 'UTF-8')));
                //We check if the recipient exists
                $dn1 = mysql_fetch_array(mysql_query('SELECT count(user_id) as recip, user_id as recipid, (select count(*) from pm) as npm 
                              FROM phpbb_users
                              WHERE username = "'.$recip.'"'));
                if($dn1['recip']==1)
                {
                        //We check if the recipient is not the actual user
                        if($dn1['recipid']!=$_SESSION['userid'])
                        {
                                $id = $dn1['npm']+1;
                                //We send the message
                                if(mysql_query('insert into pm (id, id2, title, user1, user2, message, timestamp, user1read, user2read)values("'.$id.'", "1", "'.$title.'", "'.$_SESSION['userid'].'", "'.$dn1['recipid'].'", "'.$message.'", "'.time().'", "yes", "no")'))
                                {
?>
<div class="message">The message has successfully been sent.<br />
<a href="list_pm.php">List of my Personal messages</a></div>
<?php
                                        $form = false;
                                }
                                else
                                {
                                        //Otherwise, we say that an error occured
                                        $error = 'An error occurred while sending the message';
                                }
                        }
                        else
                        {
                                //Otherwise, we say the user cannot send a message to himself
                                $error = 'You cannot send a message to yourself.';
                        }
                }
                else
                {
                        //Otherwise, we say the recipient does not exists
                        $error = 'The recipient does not exists.';
                }
        }
        else
        {
                //Otherwise, we say a field is empty
                $error = 'A field is empty. Please fill of the fields.';
        }
}
elseif(isset($_GET['recip']))
{
        //We get the username for the recipient if available
        $orecip = $_GET['recip'];
}
if($form)
{
//We display a message if necessary
if(isset($error))
{
        echo '<div class="message">'.$error.'</div>';
}
//We display the form
?>
<div class="content">
        <h1>New Personal Message</h1>
    <form action="new_pm.php" method="post">
                Please fill the following form to send a Personal message.<br />
        <label for="title">Title</label><input type="text" value="<?php echo htmlentities($otitle, ENT_QUOTES, 'UTF-8'); ?>" id="title" name="title" /><br />
        <label for="recip">Recipient<span class="small">(Username)</span></label><input type="text" value="<?php echo htmlentities($orecip, ENT_QUOTES, 'UTF-8'); ?>" id="recip" name="recip" /><br />
        <label for="message">Message</label><textarea cols="40" rows="5" id="message" name="message"><?php echo htmlentities($omessage, ENT_QUOTES, 'UTF-8'); ?></textarea><br />

        <input type="submit" value="Send" />
    </form>
</div>
<?php
}
}
else
{
        echo '<div class="message">You must be logged to access this page.</div>';
}
?>
                <div class="foot"><a href="list_pm.php">Go to my Personal messages</a> - <a href="http://www.webestools.com/">Webestools</a></div>
        </body>
</html>

Answer 1

@Eeji answer is what I do in most cases: however, there are some rare scenarios when using the request class isn't possible, for example when you're dealing with existing, pre-3.1 phpBB implementations and you want to upgrade the forum without having to mess with a PHP script which uses superglobals and that you either don't own, know or are allowed to change.

When such situations arise you can choose to re-enable superglobals either globally or programmatically:

Globally

Open the /phpbb/config/parameters.yml file and change the core.disable_super_globals key from true to false.

Programmatically

This is a sample code that can be used to temporarily enable superglobals (per-request scope):

// temporarily enable superglobals
$request->enable_super_globals();

// TODO: do your stuff here.

// disable superglobals again
$request->disable_super_globals();

You can also read this blog post that I wrote on this topic for further info.

Answer 2

Super globals have been disabled in phpBB 3.1 and the request_var() function from 3.0.x has been deprecated.

Instead you should use the request class, documentation is on the phpBB development wiki here - https://wiki.phpbb.com/PhpBB3.1/RFC/Request_class

Answer 3

Cheers guys, proved difficult for me but got there with your help. I've included the edit below.

<?php
include('config.php');

define('IN_PHPBB', true);
$phpbb_root_path = './phpBB/';
$phpEx = substr(strrchr(__FILE__, '.'), 1);
include($phpbb_root_path . 'common.' . $phpEx);

// Start session management
$user->session_begin();
$auth->acl($user->data);
$user->setup('ucp');


$_SESSION['userid'] = $user->data['user_id'];
$_SESSION['username'] = $user->data['username'];

$gettitle = request_var('title', '0');
$getrecip = request_var('recip', '0');
$getmessage=request_var('message', '0');
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
    <head>
        <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
        <link href="<?php echo $design; ?>/style.css" rel="stylesheet" title="Style" />
        <title>New PM</title>
    </head>
    <body>
        <div class="header">
                <a href="<?php echo $url_home; ?>"><img src="<?php echo $design; ?>/images/logo.png" alt="Members Area" /></a>
        </div>
<?php
//We check if the user is logged on
if(isset($_SESSION['username']))
{
$form = true;
$otitle = '';
$orecip = '';
$omessage = '';

//We check if the form has been sent
if(isset($gettitle,$getrecip,$getmessage))
{
        $otitle = $gettitle;
        $orecip = $getrecip;
        $omessage = $getmessage;
        //We remove slashes depending on the configuration
        if(get_magic_quotes_gpc())
        {
                $otitle = stripslashes($otitle);
                $orecip = stripslashes($orecip);
                $omessage = stripslashes($omessage);
        }
        //We check if all the fields are filled
        if($gettitle!='' and $getrecip!='' and $getmessage!='')
        {
                //We protect the variables
                $title = mysql_real_escape_string($otitle);
                $recip = mysql_real_escape_string($orecip);
                $message = mysql_real_escape_string(nl2br(htmlentities($omessage, ENT_QUOTES, 'UTF-8')));
                //We check if the recipient exists
                $dn1 = mysql_fetch_array(mysql_query('SELECT count(user_id) as recip, user_id as recipid, (select count(*) from pm) as npm 
                              FROM phpbb_users
                              WHERE username = "'.$recip.'"'));
                if($dn1['recip']==1)
                {
                        //We check if the recipient is not the actual user
                        if($dn1['recipid']!=$_SESSION['userid'])
                        {
                                $id = $dn1['npm']+1;
                                //We send the message
                                if(mysql_query('insert into pm (id, id2, title, user1, user2, message, timestamp, user1read, user2read)values("'.$id.'", "1", "'.$title.'", "'.$_SESSION['userid'].'", "'.$dn1['recipid'].'", "'.$message.'", "'.time().'", "yes", "no")'))
                                {
?>
<div class="message">The message has successfully been sent.<br />
<a href="list_pm.php">List of my Personal messages</a></div>
<?php
                                        $form = false;
                                }
                                else
                                {
                                        //Otherwise, we say that an error occured
                                        $error = 'An error occurred while sending the message';
                                }
                        }
                        else
                        {
                                //Otherwise, we say the user cannot send a message to himself
                                $error = 'You cannot send a message to yourself.';
                        }
                }
                else
                {
                        //Otherwise, we say the recipient does not exists
                        $error = 'The recipient does not exists.';
                }
        }
        else
        {
                //Otherwise, we say a field is empty
                $error = 'A field is empty. Please fill of the fields.';
        }
}
elseif(isset($_GET['recip']))
{
        //We get the username for the recipient if available
        $orecip = $_GET['recip'];
}
if($form)
{
//We display a message if necessary
if(isset($error))
{
        echo '<div class="message">'.$error.'</div>';
}
//We display the form
?>
<div class="content">
        <h1>New Personal Message</h1>
    <form action="new_pm.php" method="post">
                Please fill the following form to send a Personal message.<br />
        <label for="title">Title</label><input type="text" value="<?php echo htmlentities($otitle, ENT_QUOTES, 'UTF-8'); ?>" id="title" name="title" /><br />
        <label for="recip">Recipient<span class="small">(Username)</span></label><input type="text" value="<?php echo htmlentities($orecip, ENT_QUOTES, 'UTF-8'); ?>" id="recip" name="recip" /><br />
        <label for="message">Message</label><textarea cols="40" rows="5" id="message" name="message"><?php echo htmlentities($omessage, ENT_QUOTES, 'UTF-8'); ?></textarea><br />

        <input type="submit" value="Send" />
    </form>
</div>
<?php
}
}
else
{
        echo '<div class="message">You must be logged to access this page.</div>';
}
?>
                <div class="foot"><a href="list_pm.php">Go to my Personal messages</a> - <a href="http://www.webestools.com/">Webestools</a></div>
        </body>
</html>

Answer 4

I believe that 'superglobals' is disabled in the php.ini and $_GET, $_POST and $_REQUEST are not available.

You might be able to pull them into scope by declaring them using the 'global' keyword, but I'm not sure.

global $_POST;

Based on the error message you quoted: use request_var().

https://wiki.phpbb.com/Function.request_var

http://php.net/manual/en/reserved.variables.request.php

Docs say: This is a 'superglobal', or automatic global, variable. This simply means that it is available in all scopes throughout a script. There is no need to do global $variable; to access it within functions or methods.

http://php.net/manual/en/language.variables.superglobals.php

Answer 5

I had a similar problem and here's my nice solution, for getting the $_SERVER['HTTP_USER_AGENT'] var (substitute other vars as needed). This works both on pages that integrate with phpBB and those that don't:

if (function_exists('request_var'))
    $userAgent = request_var('HTTP_USER_AGENT','');
else
    $userAgent = $_SERVER['HTTP_USER_AGENT'];