View Full Version : Investigating Register Globals (off)

04-11-2003, 02:53 PM
After reading about how having Register Globals turned off can increase security, etc. I have been playing around on my localhost.

I notice that by having RG off and (for example) then putting extract($_GET) at the top of a 00.php you ban any use of 00.php?user=jim which is very easily forged, you also completely hide the names of the variables (browsers will not even know the $user varibale exists). Great! - access is restricted to information passed using the GET method.

This is easy enough to apply when using forms, simply use method=get but what if I was trying to replace a simple text link such as 00.php?page=9? When RG was on this was easy enough to use but now that this use is banned, what is the method for passing variables through to a page with a simple text link?

I am relatively new to a lot of the more complex workings of php and am interested in any thoughts and tricks reguarding this feature.


04-11-2003, 05:30 PM
i don't think anything has changed but from the look of the link you showed as an example i think you have things a bit wrong.


i think i would be right in saying that it is recommended for links to use & as opposed to just &.

then these would be available to PHP via $_GET

04-11-2003, 05:57 PM
I think you are a bit confused. Register Globals has nothing to do with whether or not you can use GET or POST methods. What it has to do with is how you access the GET or POST data.

With register globals off you can access a GET or POST value by simply creating a variable with the same name . Although that was really not a good idea for both security and proper programming habits. The proper way was to access it like so:

$itemname = $HTTP_POST_VARS["itemname"];
$itemname = $HTTP_GET_VARS["itemname"];

which now with register globals off you access the value like so:

$itemname = $_POST["itemname"];
$itemname = $_GET["itemname"];

04-12-2003, 01:41 PM
Thanks a lot for your thoughts... seems that things are not exactly as I was thinking... I am investigating further :thumbsup: