What is ';Register Globals'; in PHP, and why shouldn't it be used?PHP coding question?
First of all, register globals means that any values submitted to the PHP script either through GET or POST will be assigned as a standard PHP variable. For example if you requested a page test.php?myvariable=1 then your PHP script will automatically load with a variable $myvariable set with the value 1.
If register globals is turned off then the above does not occur and the only way to access the parameters that were sent to the script would be through $_GET, $_POST or $_REQUEST which are defined as associative arrays. So for the previous example you could access the parameter value through $_GET[';myvariable';] or $_REQUEST[';myvariable';]. For you information $_REQUEST combines both $_GET and $_POST.
Turning register globals off promotes good programming practice as the developer should know (in advance) which parameters should be sent to the script, and therefore know what to do with the parameters. This means that there is no problem using $_GET, $_POST and $_REQUEST variables as the programmer knows what they are expecting and can therefore either access the parameter values directly or assign them to a standard php variable if required.
The security issues that may occur by turning register globals on are that the users of your script can assign whatever values they like to any parameter (known or unknown) and these values will be registered in your application. An example of where this could be exploited could be the use of a $logged_in variable, which you may set to either true or false. If a user could guess this variable correctly then they could change the value of this variable by simply adding logged_in=true to the end of the query string. e.g. test.php?username=test%26amp;logged_in=true - which in a poorly implemented application could set the user as ';test'; and make the script believe the user is logged in.
In conclusion, register globals should be turned off in order to promote good programming practices. There is no circumstance where register globals is a neccessity it simply leads to lazy and poor programming practices that will make your code harder to maintain, with the added risks of security breaches.
It is also likely that in a future release of PHP the register globals option will be removed, therefore it is best to write your code to work without this function sooner rather than later.
Hope this helps.PHP coding question?
Register Globals means that all your variables (and its values) can be used across all your pages. It shouldn't be used as turning it on will create a security issue, allow unethical hackers to insert in their own variables which could allow them full access to your codes/database.
It puts everything that you would find in the $_GET and $_POST superglobals are plain old variables.
It allows anyone to add new variables to the page just by editing the URL.
It isn't a problem by itself, but combined with less then very stringent coding practices, it can lead to security holes.
This will explain it better than anybody can....
http://us.php.net/register_globals
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment