Register_global Discussing

[kingleo]

Register_global is off by default since php 4.2.0, so it makes many coders feel uncomfortable when they need to use global variables.

This is a cool solution from PHPBuilder, and it helps many coders feel good again when they don't need to use $_GET['content'] instead of $content as a global var.

Here is the code:

Code:

$list = array( '_COOKIE', '_ENV', '_FILES', '_GET'); // etc. foreach($list as $element) { if(!empty($$element) && is_array($$element)) { extract($$element); } }

Though, I don't recommend people to use this code to prevent the use of the official recommended way of using global vars, only if you make mistakes about them all over your code; or you need to migrate a piece of long script from php<4.2.0 to >=4.2.0

Any ideas about this code? I really don't know if this code is secure enough or not.

[Matthijs]

That's not a smart solution. Using extract you are extracting all values from all methods. A visitor can now send any value into your script, as if register globals was on. index.php?adminloggedin=1
That may be a simple situation, but you get the point. Problem is, you have less control over which variables you're processing. All variables that are set in a script could be changed by anyone.

Best is to use a whitelist aproach. Something like:

PHP Code:

$clean = array();

switch($_POST['color']))
{
    case 'red':
    case 'green':
    case 'blue':
      $clean['color'] = $_POST[ 'color'];
      break;
} 


Now you know exactly what to expect, and what variables to continue to work with ($clean array).

There have been a series of excellent articles in PHP architect this year about this. Also, check the articles and book from Chris Shiflett.

[kingleo]

Thanks a lot. I have actually had doubt since I saw the code, I was just not sure about it.