• Index
  •  » Articles
  •  » Programming on PHP and register_globals

Programming on PHP and register_globals

Programming on PHP and register_globals

register_globals parameter value has been “On” till the version PHP 4.2.0. The major part of programmers used that opportunity for coding simplification.

One of the main advantages of PHP is its simplicity. PHP allows inserting some fragments of the code to the HTML markup.

PHP and c++ syntaxes similarity, plenty of documentation and examples make first steps in programming enough simple. But recent innovation perplexed beginners. Starting with php 4.2.0 register_globals parameter value became “Off”.

Why has it happened? Developers decided that that innovation would make code safer and more reliable. Now you have to pay attention to all the data received by user.

Ways of data reception to PHP-script

Experienced programmers who faced with GET / POST query data and worked with environment variables can consider that issue unnecessary.

Variables in PHP appear because of many reasons. For example you can create variable yourself having written $var = 'value'.

Address line

It is one of the most widespread ways of data transfer.

  • Scheme defines the protocol used by client or server. Http and https are the most widespread protocols.
  • User and password. If it is necessary data for Basic-authorization can be transmitted as a part of the address line.
  • Host. It is IP address or domain name of the server where requested document is situated.
  • Port. TCP/IP port of the server. Default value is: 80 for http and 43 for https
  • Path. Path to the requested document
  • Query. Query data
  • Fragment. Anchor indication situated in the HTML markup.

We are interested in that part of the address line where variables are transferred. If register_globals is “On” script.php script initializes the global variables $var = 'val' and $foo = 'bar' automatically.

Every time when any variables are transferred in the address line php automatically creates a global hash array $HTTP_GET_VARS. In our example that array will have the following form: $HTTP_GET_VARS = array ('var' => 'val', 'foo' => 'bar');

Starting with PHP 4.1.0 hash array $_GET has the same values as $HTTP_GET_VARS.

Forms are another method of the information transfer. Let’s view the example:

When user clicks the “Send” button browser sends to the script.php script POST-query.

Values of the input elements will be transferred in the query body. If register_globals is “On” script.php script initializes the global variable $foo = 'bar' automatically.

Analogously to GET-query global hash array $HTTP_POST_VARS includes all variables transferred by browser. In our case it will have the following form: $HTTP_POST_VARS['foo'] = 'bar'.

Starting with PHP 4.1 hash array $_POST has the same data.

Cookies

Developers have been thinking about saving the condition while changing the pages by user for realization the interaction dialogue. Just so there appeared Cookie technology that allows saving some information on the client disk and extracting it for its further processing. The example of the code is as follows:


<?php 
/* Set Cookie for 1 day */ 
setcookie("foo""bar"time()+86400""$HTTP_HOST);  

Notice: if register_globals = 'off' use $_SERVER['HTTP_HOST' instead of $HTTP_HOST. All set Cookies inside one domain can be used in the global associative hash array $HTTP_COOKIE_VARS and in the superglobal hash array $_COOKIE.

Environment variables of the server

Operating system environment has a lot of variables that can be used in the script writing. For example it can be used for defining the script name or name of the called query. For accessing these variables PHP creates $HTTP_ENV_VARS and $HTTP_SERVER_VARS hash arrays. Starting with PHP 4.1 there are accessible such hash arrays as $_ENV and $_SERVER.

Superglobal arrays use

As usual any variable used in side the function is situated in its local namespace. It means that if we want to call the global variable $HTTP_GET_VARS we should write global $HTTP_GET_VARS.

Superglobal variables are exceptions from that rule. You can use variables $_GET, $_POST, $_COOKIE, $_ENV, $_SERVER and $_SESSION anywhere. Also there are such array as $_REQUEST that includes everything sent by user, namely arrays $_GET, $_POST and $_COOKIE.

Notice: you can’t use a variable links to the superglobal arrays. The following code is not working:

<?php  
    function foo($var)   
    {  
        $sg "_GET";  
        return ${$sg}[$var];  
    }  
?>

Function foo() doesn’t return presumptive data from the superglobal array $_GET.

Coding peculiarities

From considerations of safety and other reasons I decided to write the function that culd simplify the standard changing.

<?php  
    /**  
     *  return a value from the global arrays  
     *  
     *  @author   Jason E. Sweat  
     *  @since    2002-02-05  
     *  @param    string    $varname  
     *                      the name of the variable to register  
     *  
     *  @param    string    $defval    optional  
     *                      the value to return if not found  
     *  
     *  @return   string    the value of the variable if  
     *                      registered, else the default  
     */  
    function register($varname$defval=NULL)  
    {  
        if (array_key_exists($varname$_SERVER)) {  
            $retval $_SERVER[$varname];  
        } elseif (array_key_exists($varname$_COOKIE)) {  
            $retval $_COOKIE[$varname];  
        } elseif (array_key_exists($varname$_POST)) {  
            $retval $_POST[$varname];  
        } elseif (array_key_exists($varname$_GET)) {  
            $retval $_GET[$varname];  
        } elseif (array_key_exists($varname$_ENV)) {  
            $retval $_ENV[$varname];  
        } else {  
            $retval $defval;  
        }  

        return $retval;  
    }  
?>  

That function allows registering variable that you want to use in the script. You have to write: $mode = register('mode'). Returned by that function result is just the same as variable could have when register_globals=On. That function allows indicating the default value of the variable if it isn’t set in any array.

Nevertheless that function has one little disadvantage: it always initialize called variable by any value. Some fragments of my code used checking by means of function isset, that’s why I changed function a little.

<?php  
    /**  
     *  set a global variable if the specified get  
     *  or post var exists  
     *  
     *  @author   Jason E. Sweat  
     *  @since    2002-04-25  
     *  @param    string    $test_vars  
     *                      the array of the vars to  
     *                      register, will accept a string  
     *                      name for a single var as well  
     *  
     *  @global             the variable, if it is set  
     */  
    function getpost_ifset($test_vars)  
    {  
        if (!is_array($test_vars)) {  
            $test_vars = array($test_vars);  
        }  
          
        foreach($test_vars as $test_var) {  
            if (isset($_POST[$test_var])) {  
                global $$test_var;  
                $$test_var $_POST[$test_var];  
            } elseif (isset($_GET[$test_var])) {  
                global $$test_var;  
                $$test_var $_GET[$test_var];  
            }  
        }  
    }  
?> 

That function as a parameter gets the array of variables’ names which you’d like to make “global”. If called variable is situated in the $_GET or $_POST arrays it will be initialized correspondingly.

That function is very useful for creating a form handler, you can initialize all variables without any problems:

getpost_ifset(array("username", "password", "password2"));


 

  • Top