I told you earlier about the PHP5 upgrade. I will go deeper into the
register_globals feature and some issues about it.
register_globals feature is off by default in PHP5 and deprecated and removed in PHP6. Relying on this feature is highly discouraged.
The most controversial change in PHP was when the default value for the PHP feature
register_globals went from ON to OFF in PHP 4.2.0. Reliance on this directive was quite common and many people didn’t even know it existed and assumed it’s just how PHP works. This feature caused me a lot of trouble when migrating to PHP5, as I had to discover why my variables didn’t pass from one page to another anymore. When on,
register_globals will inject your scripts with all sorts of variables, like request variables from HTML forms. This coupled with the fact that PHP doesn’t require variable initialization means writing insecure code is that much easier.
Of course, simply turning off
register_globals does not mean your code is secure. For every piece of data that is submitted, it should also be checked in other ways. Always validate your user data and initialize your variables! To check for uninitialized variables you may turn up
error_reporting() to show
E_NOTICE level errors. I really have to do this with my scripts.
Consider the following HTML form:
<form method="post" action="action.php">
<input type="text" name="user">
register_globals is enabled, PHP can access the value of the “var” control like this:
echo "The value of the "user" field is $user";
register_globals disabled, the $_POST superglobal array variable must be used instead:
echo "The value of the "user" field is ".$_POST['user'];
Quick Tip: Use
$_POST['user'] instead of
Use the following sequence to capture variables from a previously posted form:
$variable1 = $_POST['variable1'];
$variable2 = $_POST['variable2'];
$variable3 = $_POST['variable3'];
$_GET depending on the form action.
Once a week or so we send an email with our best content. We never bug you, we just send you our latest piece of content.
If you found any value in this post, agree, disagree, or have anything to add - please do. I use comments as my #1 signal for what to write about. Read our comment policy before commenting! Comments such as "Thank you!", "Awesome!", "You're the man!" are either marked as spam or stripped from URL.