Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 5 of 5
  1. #1
    Regular Coder
    Join Date
    Aug 2004
    Location
    Nashville
    Posts
    202
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Will someone school me on Register_Globals

    So... In my short 2 month learning curve I've learned a lot of necessities of php development including form-handling, general mysql interaction, dynamic urls, mail functions, an intro to arrays and many other nifty things that have made my life much easier.

    Today I was shocked when someone pointed out that I'd been working with register_globals ON . I checked my phpinfo() and sure enough they were right. I'd somehow missed this important chapter in PHP. I've come across the term from time to time but didn't think much of it.

    Well - I'd like to know what I need to go back and look at.

    From a few googles and digging the forum I've learned that register_globals can be turned off by .htaccess. Also I'll have to set all my variables with $_GET or $_POST from a URL (explains the ISSET function )

    I've looked at the php manual but it doesn't really get the point across to me.

    What else should I be sure to look at.

  • #2
    Regular Coder devinemke's Avatar
    Join Date
    Dec 2004
    Location
    NYC
    Posts
    443
    Thanks
    0
    Thanked 12 Times in 11 Posts
    i assume you have read the manual page on Using Register Globals? you basically need to examine your code and see how/where you are using any data that is coming from the outside world (GET/POST/COOKIE). you should also read the maunal section on User Submitted Data.

  • #3
    Regular Coder
    Join Date
    Aug 2004
    Location
    Nashville
    Posts
    202
    Thanks
    0
    Thanked 0 Times in 0 Posts

    >:(

    I've been attempting to create a .htaccess file with the contents:

    php_flag register_globals off

    To turn my reg_glob off. I'm on Mac OS10.4 and using text-wrangler and after uploading and checking my phpinfo() my register_globals are still ON .

    I've only once successfully created a .htaccess file so it's very new to me.

    Text wrangler is a stripped down text editor that I've heard a lot of people use for this. What could I be doing wrong?

  • #4
    Senior Coder
    Join Date
    Aug 2003
    Location
    One step ahead of you.
    Posts
    2,815
    Thanks
    0
    Thanked 3 Times in 3 Posts
    Quote Originally Posted by macmonkey
    Today I was shocked when someone pointed out that I'd been working with register_globals ON .
    What a coincidence. I'm sure I said somthing like that to someone not too long ago...

    Anyways... register_globals is On on many servers. It doesn't really have to be off for your script to be secure. You just have to be sure you don't use any undeclared variables. register_globals registers (wow) all variables passed by a form, cookie and query string as normal variables. If you haven set them a value yourself the can get a value from the "outside" which can make your script run in a unprediced way.
    To be sure you know where your varaibles come from you shoul use the superglobal arrays (_GET, _POST, _COOKIE and _REQUEST which the first 3 combined).
    To be absolutely sure register_globals doesn't register any unwanted variables you can unset them with this code:
    PHP Code:
    // Place at the top of your code.
    if (@ini_get('register_globals'))
    {
        foreach (
    $_REQUEST as $var_name => $void)
        {
            unset(${
    $var_name});
        }

    This is how phpBB usnets these variables.
    I'm not sure if this was any help, but I hope it didn't make you stupider.

    Experience is something you get just after you really need it.
    PHP Installation Guide Feedback welcome.

  • #5
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,994
    Thanks
    4
    Thanked 2,662 Times in 2,631 Posts
    Register globals don't even need to be unset to ensure security, so long as your not using them. Personally, I'd unset them as well to preserve precious, precious memory.
    Code your script with error_reporting of at least E_NOTICE. Any notice you will recieve will usually inform you of uninitialized variables.
    Take an example: http://site.com/script.php?id=1
    PHP Code:
    $query "SELECT * FROM table WHERE id = '" $id "'";
    // This query will work in register_globals, and will throw an error level of E_NOTICE
    if (isset($_GET['id']))
    {
         
    $id $_GET['id'];
    }
    $query "SELECT * FROM table WHERE id = '" $id "'";
    // Will work, no notices as 'id' has been initialized 
    Obviously you don't want to use what I have above, as that is about as secure to a hacker as a mousehole is to a mouse. But the point is, if you initialize all variables to use, and validate accordingly, having register_globals on doesn't really matter, so long as you don't make use of them.
    PHP Code:
    header('HTTP/1.1 420 Enhance Your Calm'); 
    Been gone for a few months, and haven't programmed in that long of a time. Meh, I'll wing it ;)


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •