Web Hosting Forum | Lunarpages


*
Welcome, Guest. Please login or register.
Did you miss your activation email?


Login with username, password and session length
March 19, 2010, 01:17:39 AM

Pages: 1 [2]   Go Down
« previous next »
  Print  
Author Topic: PHP and Register Global Variables  (Read 14085 times)
StonedRoses
Spaceship Captain
*****
Offline Offline

Posts: 114



WWW
« Reply #15 on: March 29, 2008, 08:30:38 AM »
Thanks alot scanman that clears it up alot, but one final question. If i aquire my UQS vars using _REQUEST, will the end user still be able to change the value in the URL and have it take effect? Or will it call the origional value given to it by the forwarding page?

Sorry if im being a pain the lower back, ide just like to clear all this up and start ammending codes before php 6 gets here.
Logged
http://www.stonedroses.com
http://www.totalchaos.org.uk
scanman20
Master Jedi
*****
Offline Offline

Posts: 1402



WWW
« Reply #16 on: March 29, 2008, 11:35:40 AM »
Yes, anything passed in the URL can be obviously altered which is why you should always check the data you receive (validation). The real issue with using register globals is that it is a very easy way for unscrupulous people to change your code. Never rely on receiving what you expect...check for it and discard anything that doesn't fit.
Logged
Even a broken clock is right twice a day.
NotOneBit.com
MCSE - MCSA - MCP
StonedRoses
Spaceship Captain
*****
Offline Offline

Posts: 114



WWW
« Reply #17 on: March 29, 2008, 04:22:13 PM »
Thankyou for the advice, i have allways validated my vars from UQS. But now im more confused than ever, if people can still change the URL vars, why is php being changed so i have to call it with _REQUEST. It seems to me to be the same, and therefor surely the same old security issues will still apply. (people modding the vars for their own evil ends)
 Confused
Logged
http://www.stonedroses.com
http://www.totalchaos.org.uk
MrPhil
Professor in Nanotechnology
*****
Offline Offline

Posts: 4597
« Reply #18 on: March 29, 2008, 05:59:30 PM »
The elimination of register global variables reduces the chance of malicious users "leaking in" variables that have nasty content. Now you have to explicitly import these variables with $_GET, $_POST, or $_REQUEST, which cuts the chances that you've forgotten to give valid default values before importing the actual value (if any) with $_REQUEST, etc. Of course, you still should validate a variable's data before making use of it, to prevent injection attacks and the like. It doesn't matter how a variable used in your code arrived (explicitly via $_REQUEST, or implicitly via register global variables) if it contains bogus content. Turning off register globals simply forces you to take an extra step and be a little more careful in your code design, so that you can't overlook setting your variables along any possible code path.
Logged
imdad
Newbie
*
Offline Offline

Posts: 4
« Reply #19 on: September 22, 2009, 09:55:29 PM »
Hi,
As you were using register global variable I believe there will be no collision in variable names.
So the best way for you would be using "extract()".
what extract does is that it accepts an array as parameter and all key=> value pair become simple variable and their values respectively. i.e. if you write "extract( $_REQUEST );" in your code you will have $user_name defined automatically having the value entered by user in form. same happens for all fields in form.




Regards,
SK Imdad
Senior Software Engineer
Key Software Services Pvt Ltd
keyss.in
www.keysoftwareservices.com
Logged
warmmelody
Newbie
*
Offline Offline

Posts: 1
« Reply #20 on: December 13, 2009, 10:03:34 PM »
We recently got a Job Portal Package and we uploaded in the server some of the links where not working for applying for the job and so on and finally we asked our developer guys who sold this Job Portal Package he said you must ask the Hosting guys to change the register_global to ON as its OFF. Then we asked the Hosting Guys they said they cannot do it as it will be easy for the hackers to hack the server.
Now we are struck both the sides; As the developer is not ready to change his coding to suit the Server and most of his codings are done with ioncube to encrypt the files. We are totally struck.

Is there any way we can solve this problem by uploading some files in the document root to change this register_global ON or to make the codings work.

Hope you can help us
Logged
MrPhil
Professor in Nanotechnology
*****
Offline Offline

Posts: 4597
« Reply #21 on: December 14, 2009, 11:12:00 AM »
Did you attempt to follow the instructions for turning register global variables on in your php.ini file? This would just affect your site. If support turned down your request, maybe they thought you were asking for PHP to be reconfigured for everyone? As far as I know, it's still possible to enable register globals in your own account. This will go away some time in the future (PHP 6?), so your developer had better get his head on straight and get working on not using register globals.
Logged
MichaelT
Support
Galactic Royalty
*****
Offline Offline

Posts: 420
« Reply #22 on: December 15, 2009, 01:50:20 AM »
Hi warmmelody,

MrPhil is correct. This is not something that we can change server wide but you can adjust it to ON or OFF as needed for your scripts using a custom php.ini file. This link may be helpful:

http://wiki.lunarpages.com/PHP_and_Register_Global_Variables
Logged
Lunarpages Web Hosting
Lunarpages Forums
Lunarpapages Affiliate Program
Pages: 1 [2]   Go Up
  Print  
« previous next »
 
Jump to: