Web Hosting Forum | Lunarpages

Author Topic: PHP and Register Global Variables  (Read 85531 times)

Offline StonedRoses

  • Intergalactic Superstar
  • *****
  • Posts: 128
    • http://www.sebby.co.uk
Re: PHP and Register Global Variables
« Reply #15 on: March 29, 2008, 07:30:38 AM »
Thanks alot scanman that clears it up alot, but one final question. If i aquire my UQS vars using _REQUEST, will the end user still be able to change the value in the URL and have it take effect? Or will it call the origional value given to it by the forwarding page?

Sorry if im being a pain the lower back, ide just like to clear all this up and start ammending codes before php 6 gets here.
http://www.sebby.co.uk - Your online supplier of discount fashion jewellery, gemstone jewellery, ladies dress watches, giftware and more.

Offline scanman20

  • Senior Moderator
  • Über Jedi
  • *****
  • Posts: 1553
    • http://www.notonebit.com
Re: PHP and Register Global Variables
« Reply #16 on: March 29, 2008, 10:35:40 AM »
Yes, anything passed in the URL can be obviously altered which is why you should always check the data you receive (validation). The real issue with using register globals is that it is a very easy way for unscrupulous people to change your code. Never rely on receiving what you expect...check for it and discard anything that doesn't fit.
Even a broken clock is right twice a day.
NotOneBit.com
MCSE - MCSA - MCP (<- unused since 2006!)

Offline StonedRoses

  • Intergalactic Superstar
  • *****
  • Posts: 128
    • http://www.sebby.co.uk
Re: PHP and Register Global Variables
« Reply #17 on: March 29, 2008, 03:22:13 PM »
Thankyou for the advice, i have allways validated my vars from UQS. But now im more confused than ever, if people can still change the URL vars, why is php being changed so i have to call it with _REQUEST. It seems to me to be the same, and therefor surely the same old security issues will still apply. (people modding the vars for their own evil ends)
 :-?
http://www.sebby.co.uk - Your online supplier of discount fashion jewellery, gemstone jewellery, ladies dress watches, giftware and more.

Offline MrPhil

  • Senior Moderator
  • Berserker Poster
  • *****
  • Posts: 6196
Re: PHP and Register Global Variables
« Reply #18 on: March 29, 2008, 04:59:30 PM »
The elimination of register global variables reduces the chance of malicious users "leaking in" variables that have nasty content. Now you have to explicitly import these variables with $_GET, $_POST, or $_REQUEST, which cuts the chances that you've forgotten to give valid default values before importing the actual value (if any) with $_REQUEST, etc. Of course, you still should validate a variable's data before making use of it, to prevent injection attacks and the like. It doesn't matter how a variable used in your code arrived (explicitly via $_REQUEST, or implicitly via register global variables) if it contains bogus content. Turning off register globals simply forces you to take an extra step and be a little more careful in your code design, so that you can't overlook setting your variables along any possible code path.
Visit My Site

E-mail Me
  
-= From the ashes shall rise a sooty tern =-

Offline imdad

  • Newbie
  • *
  • Posts: 4
Re: PHP and Register Global Variables from Key Software Services
« Reply #19 on: September 22, 2009, 08:55:29 PM »
Hi,
As you were using register global variable I believe there will be no collision in variable names.
So the best way for you would be using "extract()".
what extract does is that it accepts an array as parameter and all key=> value pair become simple variable and their values respectively. i.e. if you write "extract( $_REQUEST );" in your code you will have $user_name defined automatically having the value entered by user in form. same happens for all fields in form.




Regards,
SK Imdad
Senior Software Engineer
Key Software Services Pvt Ltd
keyss.in
www.keysoftwareservices.com


Offline warmmelody

  • Newbie
  • *
  • Posts: 1
Re: PHP and Register Global Variables
« Reply #20 on: December 13, 2009, 10:03:34 PM »
We recently got a Job Portal Package and we uploaded in the server some of the links where not working for applying for the job and so on and finally we asked our developer guys who sold this Job Portal Package he said you must ask the Hosting guys to change the register_global to ON as its OFF. Then we asked the Hosting Guys they said they cannot do it as it will be easy for the hackers to hack the server.
Now we are struck both the sides; As the developer is not ready to change his coding to suit the Server and most of his codings are done with ioncube to encrypt the files. We are totally struck.

Is there any way we can solve this problem by uploading some files in the document root to change this register_global ON or to make the codings work.

Hope you can help us

Offline MrPhil

  • Senior Moderator
  • Berserker Poster
  • *****
  • Posts: 6196
Re: PHP and Register Global Variables
« Reply #21 on: December 14, 2009, 11:12:00 AM »
Did you attempt to follow the instructions for turning register global variables on in your php.ini file? This would just affect your site. If support turned down your request, maybe they thought you were asking for PHP to be reconfigured for everyone? As far as I know, it's still possible to enable register globals in your own account. This will go away some time in the future (PHP 6?), so your developer had better get his head on straight and get working on not using register globals.
Visit My Site

E-mail Me
  
-= From the ashes shall rise a sooty tern =-

Offline MichaelT

  • Support
  • Jabba the Hutt
  • *****
  • Posts: 579
Re: PHP and Register Global Variables
« Reply #22 on: December 15, 2009, 01:50:20 AM »
Hi warmmelody,

MrPhil is correct. This is not something that we can change server wide but you can adjust it to ON or OFF as needed for your scripts using a custom php.ini file. This link may be helpful:

http://wiki.lunarpages.com/PHP_and_Register_Global_Variables
--

Support and Assistance:
Contacting Us
Hosting Plans
Affiliate Program
Wiki and Tutorials

Offline Jacobdixon

  • Pong! (the videogame) Master
  • *****
  • Posts: 25
Re: PHP and Register Global Variables
« Reply #23 on: November 02, 2011, 03:16:02 AM »
Global Variables are inbuild support variables by any programming language, as PHP has its defined Global variables called as registered global variables.

Offline scanman20

  • Senior Moderator
  • Über Jedi
  • *****
  • Posts: 1553
    • http://www.notonebit.com
Re: PHP and Register Global Variables
« Reply #24 on: November 02, 2011, 05:30:41 AM »
Global Variables are inbuild support variables by any programming language, as PHP has its defined Global variables called as registered global variables.
:-?
Even a broken clock is right twice a day.
NotOneBit.com
MCSE - MCSA - MCP (<- unused since 2006!)

Offline Poptarted

  • Pong! (the videogame) Master
  • *****
  • Posts: 22
Re: PHP and Register Global Variables
« Reply #25 on: April 05, 2012, 10:23:50 AM »
Global Variables are inbuild support variables by any programming language, as PHP has its defined Global variables called as registered global variables.

In short global means = widespread. The global variables are the ones that once set will effect all scripts that call on the global variables in reference. This way if you are using some variables throughout your entire site or multiple scripts, you don't have to keep redefining them every time, thus saving you lots of time in the long run.

Offline MrPhil

  • Senior Moderator
  • Berserker Poster
  • *****
  • Posts: 6196
Re: PHP and Register Global Variables
« Reply #26 on: April 08, 2012, 06:02:13 AM »
No, you (and maybe Jacob, I can't quite tell what he's getting at) are referring to a different kind of global variable. Those are things like $GLOBALS, $_SESSION, and $_SERVER. This discussion is about "Register Global Variables", which are a different color of horse. These are a means to pass user data (via form or URL) from one page to another. The old method simply referred to them by normal name on the receiving page, but this is a security risk, as variables can be maliciously leaked in. The new method puts in an extra step, so that only those globals explicitly listed ($_REQUEST['name'], etc.) will be honored. Calling them "User Global Variables" or something like that would have been better, but that's water under the bridge.

"Superglobals" vs. "Globals" is also a distinction, where superglobals don't need to be listed in a "globals" statement.
Visit My Site

E-mail Me
  
-= From the ashes shall rise a sooty tern =-

Offline Ashtechsmith

  • Space Explorer
  • ***
  • Posts: 6
Re: PHP and Register Global Variables
« Reply #27 on: June 07, 2012, 02:17:30 PM »
Perhaps the most controversial change in PHP is when the default value for the PHP directive register_globals went from ON to OFF in PHP » 4.2.0. Reliance on this directive was quite common and many people didn't even know it existed and assumed it's just how PHP works. This page will explain how one can write insecure code with this directive but keep in mind that the directive itself isn't insecure but rather it's the misuse of it.

When on, register_globals will inject your scripts with all sorts of variables, like request variables from HTML forms. This coupled with the fact that PHP doesn't require variable initialization means writing insecure code is that much easier. It was a difficult decision, but the PHP community decided to disable this directive by default. When on, people use variables yet really don't know for sure where they come from and can only assume. Internal variables that are defined in the script itself get mixed up with request data sent by users and disabling register_globals changes this. Let's demonstrate with an example misuse of register_globals:

Example #1 Example misuse with register_globals = on
<?php
// define $authorized = true only if user is authenticated
if (authenticated_user()) {
    $authorized = true;
}

// Because we didn't first initialize $authorized as false, this might be
// defined through register_globals, like from GET auth.php?authorized=1
// So, anyone can be seen as authenticated!
if ($authorized) {
    include "/highly/sensitive/data.php";
}
?>

Offline TigerAero

  • Intergalactic Superstar
  • *****
  • Posts: 196
    • X13: The Xeno Society
Re: PHP and Register Global Variables
« Reply #28 on: November 01, 2013, 02:10:12 PM »
MrPhil,

Just wanted to say, damn sir, you are on point! :)

 :yey: :thumb:
X13: Xeno Society
Have the will to change the world. #x13

Offline gavind

  • Spaceship Captain
  • *****
  • Posts: 100
Re: PHP and Register Global Variables
« Reply #29 on: September 27, 2014, 09:10:02 AM »
Quick question please. Does this still apply for PhP 5.5.x?

 

Share |