PHP Register Globals

[Andries Seutens]

Hey everbody,


I noticed that many problems regarding PHP are caused by the fact that most people are unaware of the changes PHP made in PHP 4.2.0.

The default value for the PHP directive register_globals went from ON to OFF. Reliance on this directive was quite common and many people didn't even know it existed and assumed it's just how PHP works.

This is a major change in PHP. Having register_globals off affects the set of predefined variables available in the global scope. For example, to get DOCUMENT_ROOT you'll use $_SERVER['DOCUMENT_ROOT'] instead of $DOCUMENT_ROOT, or $_GET['id'] from the URL http://www.example.com/test.php?id=3 instead of $id, or $_ENV['HOME'] instead of $HOME.

When on, register_globals will inject (poison) your scripts will all sorts of variables, like request variables from HTML forms. This coupled with the fact that PHP doesn't require variable initialization means writing insecure code is that much easier. It was a difficult decision, but the PHP community decided to disable this directive by default. When on, people use variables yet really don't know for sure where they come from and can only assume. Internal variables that are defined in the script itself get mixed up with request data sent by users and disabling register_globals changes this.

$_GET
Variables provided to the script via HTTP GET. Analogous to the old $HTTP_GET_VARS array (which is still available, but deprecated).

example: echo $_GET['variablename'];

$_POST
Variables provided to the script via HTTP POST. Analogous to the old $HTTP_POST_VARS array (which is still available, but deprecated).

example: echo $_POST['variablename'];

$_COOKIE
Variables provided to the script via HTTP cookies. Analogous to the old $HTTP_COOKIE_VARS array (which is still available, but deprecated).

example: $_COOKIE['name'] = 'this is the cookie name';

$_FILES
Variables provided to the script via HTTP post file uploads. Analogous to the old $HTTP_POST_FILES array (which is still available, but deprecated). See POST method uploads for more information.

example: $_FILES['tmp_filename'];

$_ENV
Variables provided to the script via the environment. Analogous to the old $HTTP_ENV_VARS array (which is still available, but deprecated).

$_REQUEST
Variables provided to the script via the GET, POST, and COOKIE input mechanisms, and which therefore cannot be trusted. The presence and order of variable inclusion in this array is defined according to the PHP variables_order configuration directive. This array has no direct analogue in versions of PHP prior to 4.1.0.

example: echo $_REQUEST['variablename'];

$_SESSION
Variables which are currently registered to a script's session. Analogous to the old $HTTP_SESSION_VARS array (which is still available, but deprecated).

example: $_SESSION['login'] = true;


I hope that after reading this topic, nobody will ever forget this again.


Andries

[Doug Anarino]

Indeed, this new security feature has broken countless sites! Many scripts break because they need to accept variables from both a GET and POST operation. A quick fix is to extract both the HTTP_POST_VARS and HTTP_GET_VARS into the current scope:

extract(array_merge($GLOBALS['HTTP_POST_VARS'], $GLOBALS['HTTP_GET_VARS']));

Keep in mind that this will only make these variables global if called in the global scope. Otherwise the variables only exist in the current scope.

[Musicman]

in some cultures - and at some times - people would trust each other, and so houses often had no (or just simple) locks.
Today, with so many burglars around, someome had the idea that all new houses should have strong locks right from the start
... and you are suggesting not to lock the door at all because the strong lock is inconvenient ?

There are a few ways to "fix"  every script with just a line of code or two,  but all of them simply undo the security enhancements . The proper way is to explicitly specify all the vars you are expecting from the  web

Musicman

[Doug Anarino]

Well, there's nothing inherently insecure about the line of code I posted, nor even with having register globals turned on. If your script is written well, you can safely let hackers 'polute' your global variable space without fear. By well written I simply mean that you initialize all the variables you use - it's that simple.

I posted my suggestion because many people just turn register globals back on immediately after upgrading PHP, when faced with the daunting task of rewriting mounds of code. I wanted to point out a simple way to get that functionality back without actually enabling this potentially dangerous option. This is also a great way to move a block of code from the global space into a function (where it should be) without actually rewriting it. It may be bad coding style, but it works and doesn't automatically pose a security risk.

[Garrett Bauer]

hello,

Iv'e used both $_GET and $_POST numerous times in scripts using php, and Ive often used them interchangably.  I was just wondering if anyone could tell me the EXACT difference between the two, and when I should specifically use one or the other?  

[Andries Seutens]

$_GET = used when form method="GET"
$_POST = used when form method="POST"
$_REQUEST can also be used, then you don't have to mind the form method

Good luck

[Japheth]

Also, $_GET is the array that will contain any variables parsed from the URL.

For example, if you were to go to a website with the URL:

Code:

http://www.nowherereal.com/index.php?gname=john&surname=citizen&pin=1234

in your PHP document you would have three $_GET variables, $_GET['gname'], $_GET['surname'] and $_GET['pword'] all equalling what it looks like they might be equalling ('john', 'citizen' & '1234' respectively).

This is probably one of the main reasons they changed the default setting for the register_globals.  If someone figured out what variable you used, or if they could plainly see it in the URL string, then they could change it to whatever they like and potentially do damage by possibly even diverting your page to run nasty code or running nasty database queries etc.  but anyways, the why is a little irrelevant, they deemed it necessary so now it's done.  what you must consider though, is that if they thought it was worth changing that one little thing, maybe there's a reason not to change it back?

[Poor666]

I everyone

I have the same problems with new server, the register globals are off and a need to change a lot a code :(

so here a tip for solve big part of the problem.

insert this lines every time you right a new php file.


// Need if register_globals are off

if(isset($HTTP_GET_VARS)){
 while(list($var, $val)=each($HTTP_GET_VARS)){
   $$var=$val;
 }
}

if(isset($HTTP_POST_VARS)){
 while(list($var, $val)=each($HTTP_POST_VARS)){
   $$var=$val;
 }
}

if(isset($HTTP_COOKIE_VARS)){
 while(list($var, $val)=each($HTTP_COOKIE_VARS)){
   $$var=$val;
 }
}

if(isset($HTTP_SERVER_VARS)){
 while(list($var, $val)=each($HTTP_SERVER_VARS)){
   $$var=$val;
 }
}

// *******************************


then you will use the same way that I use in the past.
you dont need to use $_GET['vari'] , just $vari

But, I have one problem

I have an array like this

$P['hiperball/scripts/files_jpg/'] = "c:\images\uploads\bigimage.jpg";

so, if a have this array in URL i can  get this value with:



foreach ($_GET['P] as $key => $value) {
   echo $key. "<br>";
   echo $value. "<br>";
   echo "<br>";
   }

OR

foreach ($P as $key => $value) {
   echo $key. "<br>";
   echo $value. "<br>";
   echo "<br>";
   }



but I can´t GEt this value with POST Method.

anyone can help me

[vesa kortelainen]

Please copy your Question and post new subject. This thread was ment to be an ~info~  about "PHP Register Globals"

[saumya]

 a very good post. At least for me its a very help ful topic as I am a beginner and just downloaded php5 and started with it.But the books I follow is phph 4 so first it gave me a lot of problem while reading variables from a form. I even got to know that its upon our wish, how the PHP engine will behave. We can turn  register globals  on or off , so that the Php engine will behave accordingly.

Again I will agree to the fact that we should put register globals to off, as a best practice and less prone to hack.

thank you Andries for the post

[till]

foreach($_GET as $key => $value) {
$varname = $key;
$$varname = $value;}
foreach($_POST as $key => $value) {
$varname = $key;
$$varname = $value;}

till.

[Musicman]

Hi,

the register_globals off policy was invented to prevent attacks on web scripts with certain errors. The script just posted restores that situation.
If there are lots of variables, you should rather make a list of all vars that the script actually expects (sort of documenting the script on the way) and add
$getvars = array("action", "email", ...);
foreach($getvars as $var)
  if(isset($_GET[$var]))
     $$var = $_GET[$var];
and same for POSTed vars

Musicman

[AsiaAleandri]

1) Find your php.ini file (normally in the directory which php is installed).
2) open it in notepad.
3) Find the following line:

register_globals = Off

4) change it to

register_globals = On

[Jorge Solis]

Hi AsiaAleandri

Thanks for the tip, but take into account that this thread is from 2005, so allways keep an eye on date for POST, since probably old ones were certainly solved

Jorge