Using Register Globals in PHP

register_globals is used whether or not to register the EGPCS (Environment, GET, POST, Cookie, Server) variables as global variables in php.
When on, register_globals will inject your scripts with all sorts of variables, you  really don’t know for sure where they come from and can only assume. Internal variables that are defined in the script itself get mixed up with request data sent by users.
example of misuse of register_globals:
<?php
// define $authorized = true only if user is authenticated

if (authenticated_user()) {

$authorized = true;

}
// Because we didn't first initialize $authorized as false, this might be

// defined through register_globals, like from GET auth.php?authorized=1

// So, anyone can be seen as authenticated!

if ($authorized) {

include "/highly/sensitive/data.php";

}

?>
When register_globals = on, our logic above may be compromised. When off, $authorized can’t be set via request. it is generally a good programming practice to initialize variables first. For example,  $authorized = false.
Please note that register_globals cannot be set at runtime (ini_set()). Although, you can use .htaccess if your host allows it as described above.
An example .htaccess entry: php_flag register_globals off.

Comments

Popular posts from this blog

111 Most Useful Websites on the Internet

How to call php functions inside smarty template directly

How to improve PHP web performance