Tutorial :Dealing with register_globals



Question:

I am not sure whether this would be good to be marked as community wiki, but anyway:

Is there an easy way to kill the register_globals? I'm working on a PHP Framework and right now, I just set the script to terminate if register_globals is On. Although I prefer to force people to disable it, there are servers that still have that on.

I know that in PHP 5.3.0 register_globals is deprecated and in PHP 6 it will be completely removed, but it is always a good thing to deal with it while it is still here.

I saw some ways, and I'm currently thinking on using this:

  $temp = array_merge($_GET, $_POST, $_COOKIE);  foreach($temp as $k => $v) {      if(isset($$k)) unset($$k);  }  

There are some problems over here, though. It is resource incentive, specially when there's a lot of input data. I am not sure whether disabling it on runtime would work, for example:

ini_set('register_globals', 'Off')  

Is there a better way that I haven't heard of to get rid of register_globals? Thanks.


Solution:1

There are methods of dealing with register_globals described in the PHP manual. The register_globals ini setting can't be set at runtime by ini_set(), so if you can't do it with an .htaccess or web server configuration file, the method provided there would be the official workaround.

It basically provides this snippet of code to emulate compatibility:

<?php  // Emulate register_globals off  function unregister_GLOBALS()  {      if (!ini_get('register_globals')) {          return;      }        // Might want to change this perhaps to a nicer error      if (isset($_REQUEST['GLOBALS']) || isset($_FILES['GLOBALS'])) {          die('GLOBALS overwrite attempt detected');      }        // Variables that shouldn't be unset      $noUnset = array('GLOBALS',  '_GET',                       '_POST',    '_COOKIE',                       '_REQUEST', '_SERVER',                       '_ENV',     '_FILES');        $input = array_merge($_GET,    $_POST,                           $_COOKIE, $_SERVER,                           $_ENV,    $_FILES,                           isset($_SESSION) && is_array($_SESSION) ? $_SESSION : array());        foreach ($input as $k => $v) {          if (!in_array($k, $noUnset) && isset($GLOBALS[$k])) {              unset($GLOBALS[$k]);          }      }  }    unregister_GLOBALS();    ?>  


Solution:2

You could add php_flag register_globals off to your .htaccess file, although not all servers accept this. So if you're planning to publish your framework, it might not be a good idea.


Note:If u also have question or solution just comment us below or mail us on toontricks1994@gmail.com
Previous
Next Post »