Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 4 of 4
  1. #1
    Regular Coder
    Join Date
    Jul 2002
    Location
    New Zealand
    Posts
    127
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Investigating Register Globals (off)

    After reading about how having Register Globals turned off can increase security, etc. I have been playing around on my localhost.

    I notice that by having RG off and (for example) then putting extract($_GET) at the top of a 00.php you ban any use of 00.php?user=jim which is very easily forged, you also completely hide the names of the variables (browsers will not even know the $user varibale exists). Great! - access is restricted to information passed using the GET method.

    This is easy enough to apply when using forms, simply use method=get but what if I was trying to replace a simple text link such as 00.php?page=9? When RG was on this was easy enough to use but now that this use is banned, what is the method for passing variables through to a page with a simple text link?

    I am relatively new to a lot of the more complex workings of php and am interested in any thoughts and tricks reguarding this feature.

    Cheers
    eTheory - the theory of revolution

  • #2
    Registered User
    Join Date
    Feb 2003
    Location
    Berkshire, UK
    Posts
    50
    Thanks
    0
    Thanked 0 Times in 0 Posts
    i don't think anything has changed but from the look of the link you showed as an example i think you have things a bit wrong.

    example.php?option=value&anotheroption=value&blah=this

    i think i would be right in saying that it is recommended for links to use & as opposed to just &.

    then these would be available to PHP via $_GET

  • #3
    Supreme Overlord Spookster's Avatar
    Join Date
    May 2002
    Location
    Marion, IA USA
    Posts
    6,273
    Thanks
    4
    Thanked 83 Times in 82 Posts
    I think you are a bit confused. Register Globals has nothing to do with whether or not you can use GET or POST methods. What it has to do with is how you access the GET or POST data.

    With register globals off you can access a GET or POST value by simply creating a variable with the same name . Although that was really not a good idea for both security and proper programming habits. The proper way was to access it like so:

    $itemname = $HTTP_POST_VARS["itemname"];
    $itemname = $HTTP_GET_VARS["itemname"];


    which now with register globals off you access the value like so:

    $itemname = $_POST["itemname"];
    $itemname = $_GET["itemname"];
    Spookster
    CodingForums Supreme Overlord
    All Hail Spookster

  • #4
    Regular Coder
    Join Date
    Jul 2002
    Location
    New Zealand
    Posts
    127
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Thanks a lot for your thoughts... seems that things are not exactly as I was thinking... I am investigating further
    eTheory - the theory of revolution


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •