ASPit - Totally ASP

Go Back PHPit Forums > General PHP > Advanced Topics
User Name
Password
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
Thread Tools Search this Thread Display Modes
Old 12-16-2005, 06:12 PM #1
kingleo
Ambitious Member

kingleo's Avatar

Join Date: Dec 2005
Posts: 33
Default Register_global Discussing

Register_global is off by default since php 4.2.0, so it makes many coders feel uncomfortable when they need to use global variables.

This is a cool solution from PHPBuilder, and it helps many coders feel good again when they don't need to use $_GET['content'] instead of $content as a global var.

Here is the code:
Code:

                        
$list = array( '_COOKIE', '_ENV', '_FILES', '_GET'); // etc. foreach($list as $element) { if(!empty($$element) && is_array($$element)) { extract($$element); } }

                      

Though, I don't recommend people to use this code to prevent the use of the official recommended way of using global vars, only if you make mistakes about them all over your code; or you need to migrate a piece of long script from php<4.2.0 to >=4.2.0

Any ideas about this code? I really don't know if this code is secure enough or not.
__________________
i'm a zealous php newbie
kingleo is offline Reply With Quote
Old 12-16-2005, 07:08 PM #2
Matthijs
Super Moderator

Join Date: Nov 2005
Posts: 36
Default

That's not a smart solution. Using extract you are extracting all values from all methods. A visitor can now send any value into your script, as if register globals was on. index.php?adminloggedin=1
That may be a simple situation, but you get the point. Problem is, you have less control over which variables you're processing. All variables that are set in a script could be changed by anyone.

Best is to use a whitelist aproach. Something like:
PHP Code:
$clean=array();

switch(
$_POST['color']))
{
case
'red':
case
'green':
case
'blue':
$clean['color']=$_POST['color'];
break;
}

Now you know exactly what to expect, and what variables to continue to work with ($clean array).

There have been a series of excellent articles in PHP architect this year about this. Also, check the articles and book from Chris Shiflett.
Matthijs is offline Reply With Quote
Old 12-16-2005, 07:37 PM #3
kingleo
Ambitious Member

kingleo's Avatar

Join Date: Dec 2005
Posts: 33
Default

Thanks a lot. I have actually had doubt since I saw the code, I was just not sure about it.
__________________
i'm a zealous php newbie
kingleo is offline Reply With Quote
Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT. The time now is 02:55 AM.


Powered by vBulletin Version 3.5.1
Copyright 2000 - 2006, Jelsoft Enterprises Ltd.