View Full Version : Will someone school me on Register_Globals

09-21-2005, 08:47 PM
So... In my short 2 month learning curve I've learned a lot of necessities of php development including form-handling, general mysql interaction, dynamic urls, mail functions, an intro to arrays and many other nifty things that have made my life much easier.

Today I was shocked when someone pointed out that I'd been working with register_globals ON :(. I checked my phpinfo() and sure enough they were right. I'd somehow missed this important chapter in PHP. I've come across the term from time to time but didn't think much of it.

Well - I'd like to know what I need to go back and look at.

From a few googles and digging the forum I've learned that register_globals can be turned off by .htaccess. Also I'll have to set all my variables with $_GET or $_POST from a URL (explains the ISSET function ;) )

I've looked at the php manual but it doesn't really get the point across to me.

What else should I be sure to look at.

09-21-2005, 10:48 PM
i assume you have read the manual page on Using Register Globals (http://www.php.net/manual/en/security.globals.php)? you basically need to examine your code and see how/where you are using any data that is coming from the outside world (GET/POST/COOKIE). you should also read the maunal section on User Submitted Data (http://www.php.net/manual/en/security.variables.php).

09-22-2005, 09:06 PM
I've been attempting to create a .htaccess file with the contents:

php_flag register_globals off

To turn my reg_glob off. I'm on Mac OS10.4 and using text-wrangler and after uploading and checking my phpinfo() my register_globals are still ON :(.

I've only once successfully created a .htaccess file so it's very new to me.

Text wrangler is a stripped down text editor that I've heard a lot of people use for this. What could I be doing wrong?

09-22-2005, 09:43 PM
Today I was shocked when someone pointed out that I'd been working with register_globals ON :( .
What a coincidence. I'm sure I said somthing like that to someone not too long ago...

Anyways... register_globals is On on many servers. It doesn't really have to be off for your script to be secure. You just have to be sure you don't use any undeclared variables. register_globals registers (wow) all variables passed by a form, cookie and query string as normal variables. If you haven set them a value yourself the can get a value from the "outside" which can make your script run in a unprediced way.
To be sure you know where your varaibles come from you shoul use the superglobal arrays (_GET, _POST, _COOKIE and _REQUEST which the first 3 combined).
To be absolutely sure register_globals doesn't register any unwanted variables you can unset them with this code:

// Place at the top of your code.
if (@ini_get('register_globals'))
foreach ($_REQUEST as $var_name => $void)

This is how phpBB usnets these variables.

09-23-2005, 10:51 AM
Register globals don't even need to be unset to ensure security, so long as your not using them. Personally, I'd unset them as well to preserve precious, precious memory.
Code your script with error_reporting of at least E_NOTICE. Any notice you will recieve will usually inform you of uninitialized variables.
Take an example: http://site.com/script.php?id=1

$query = "SELECT * FROM table WHERE id = '" . $id . "'";
// This query will work in register_globals, and will throw an error level of E_NOTICE
if (isset($_GET['id']))
$id = $_GET['id'];
$query = "SELECT * FROM table WHERE id = '" . $id . "'";
// Will work, no notices as 'id' has been initialized

Obviously you don't want to use what I have above, as that is about as secure to a hacker as a mousehole is to a mouse. But the point is, if you initialize all variables to use, and validate accordingly, having register_globals on doesn't really matter, so long as you don't make use of them.