Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Dealing with register_globals

Tags:

php

register-globals

I am not sure whether this would be good to be marked as community wiki, but anyway:

Is there an easy way to kill the register_globals? I'm working on a PHP Framework and right now, I just set the script to terminate if register_globals is On. Although I prefer to force people to disable it, there are servers that still have that on.

I know that in PHP 5.3.0 register_globals is deprecated and in PHP 6 it will be completely removed, but it is always a good thing to deal with it while it is still here.

I saw some ways, and I'm currently thinking on using this:

$temp = array_merge($_GET, $_POST, $_COOKIE);
foreach($temp as $k => $v) {
    if(isset($$k)) unset($$k);
}

There are some problems over here, though. It is resource incentive, specially when there's a lot of input data. I am not sure whether disabling it on runtime would work, for example:

ini_set('register_globals', 'Off')

Is there a better way that I haven't heard of to get rid of register_globals? Thanks.

like image 790
Jimmie Lin Avatar asked Feb 28 '23 20:02

Jimmie Lin

2 Answers

There are methods of dealing with register_globals described in the PHP manual. The register_globals ini setting can't be set at runtime by ini_set(), so if you can't do it with an .htaccess or web server configuration file, the method provided there would be the official workaround.

It basically provides this snippet of code to emulate compatibility:

<?php
// Emulate register_globals off
function unregister_GLOBALS()
{
    if (!ini_get('register_globals')) {
        return;
    }

    // Might want to change this perhaps to a nicer error
    if (isset($_REQUEST['GLOBALS']) || isset($_FILES['GLOBALS'])) {
        die('GLOBALS overwrite attempt detected');
    }

    // Variables that shouldn't be unset
    $noUnset = array('GLOBALS',  '_GET',
                     '_POST',    '_COOKIE',
                     '_REQUEST', '_SERVER',
                     '_ENV',     '_FILES');

    $input = array_merge($_GET,    $_POST,
                         $_COOKIE, $_SERVER,
                         $_ENV,    $_FILES,
                         isset($_SESSION) && is_array($_SESSION) ? $_SESSION : array());

    foreach ($input as $k => $v) {
        if (!in_array($k, $noUnset) && isset($GLOBALS[$k])) {
            unset($GLOBALS[$k]);
        }
    }
}

unregister_GLOBALS();

?>
like image 174
zombat Avatar answered Mar 07 '23 20:03

zombat

You could add php_flag register_globals off to your .htaccess file, although not all servers accept this. So if you're planning to publish your framework, it might not be a good idea.

like image 29
Robin Avatar answered Mar 07 '23 22:03

Robin
Sign in to Comment

Related questions

Is there a way to output the definition of a function in PHP?
PHP doesn't handle stack overflow?
PHP calculation
PHP Comment Code Help
Adding a block of XML as child of a SimpleXMLElement object
PHP int to date problem
Can we replace PHP language constructs with our own?
Is there a PHPish way of doing webpages with Ruby?
How to Check if a mail was received with php
Drupal — Fatal error: Class 'Memcache' not found
ReSharper-like addon for NetBeans
Can a cURL based HTTP request imitate a browser based request completely?
PHP function to get the date format?
Is there a way to bind variables? PHP 5
How to set the message of the NotEmpty validator on a Zend_Form_Element?
instantiating a new class in a loop or not in a loop?
How to test Webservices with PHPUnit?
Which PDO methods throw exceptions?
"Unable to find xref table" with Dompdf0.6a + FPDI
rtf format to pdf

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!