gotFusion.com....... Where your adventure begins
Full Service Web HostingNetObjects Fusion 7 Websites Portal

 


 

PHP is an evolving language. Part of that evolution, as with any web technology,  is the plugging of security holes. This article addresses one of those security topics.... the "register_globals" directive in the PHP.ini file.

The PHP.ini file contains a number of settings and directives that control the way the PHP engine interacts with web pages and the web server and server environment. As a web designer, you rarely have control over those settings. Unless you own your own server, they're set by the web server administrator at your ISP. However, in many cases, the settings determine how your PHP code will be executed. So understanding how they affect your coding is obviously important.

For the moment, we're concerned with the "register_globals" directive and how it determines how form variables are referenced in the server environment. The directive itself has been around for quite some time. In early versions of PHP 4, it was set to "On". Starting with PHP 4.2.0, it was set to "Off" by default.

Why the change? For added security. When a form is submitted, the values of the input fields on the form are passed as variables to the receiving script or page named in the form action. With register globals turned on, the variables may be referenced by their short form.

For example: $shortform.

This form is really convenient because..well..it's short. However, it's also easy for an attacker to fake the information by passing their own input to your scripts (form action). Your script has no way of knowing whether the input came from your form or another source.

Accessing Form Variables with Register Globals OFF

With this setting, form variables may referenced as members of an array. There are some options here as well. Remember that evolution thing?

Prior to PHP 4.1.0 - the form information was stored in arrays named $HTTP_POST_VARS and $HTTP_GET_VARS. Form data may be sent via either the POST or GET method, so the array matching the method applies.

Starting with PHP 4.1.0 - form created variables are now available in the arrays mentioned above AND in three new arrays; $_POST, $_GET and $_REQUEST. One of the first two will contain your form information (depending on the method again). It will also be available via the third array, in the event you use mixed methods. For instance, you use POST as your form method, but you also include GET information as part of the Form Action URL.

Some Examples

Equivalent Variables

Short Form

$firstname

Pre 4.1.0

$HTTP_POST_VARS['firstname']

4.1.0 and above

$_POST['firstname']

Accessing Form Array Variables in Scripts

The array version of variables obviously means more typing and more typing means more misteaks. Oops.... mistakes. A way to reduce your typing load and reduce the chance of errors is to convert the array variables to short form before you use them. This is also handy when revising existing scripts that only work with register_globals set to On. For example:

Reassigning values

<?php
     $firstname = $_POST['firstname'];
     $lastname = $_POST['lastname'];
?>

Now that your variables are in short form, you can use them that way throughout the remainder of the script. Notice that I used the 4.1.0 and above form. It's the shortest of the longer versions. If your ISP is still using an older version of PHP (4.0.6 is still in wide use), you'll have to reference the longer $HTTP.... array names. Check with your host.

For more information

Return to the TOP of this page


|  Fusion  |  Web Design  |  Hosting  |  Resources  |  gotFusion Store  | 

Problems with this page?  

All content copyright © 2002-2003 gotFusion LLC. The name gotFusion and the gotFusion ® logo are registered trademarks of gotFusion LLC
Copyright, legal notice & privacy statement