Register_globals, a basic question

[scottie2212]

I have been reading a few threads and the consensus seams to be that having register_globals turned on is a security risk. The majority of pages on my site use the $_POST method to pass form data but, with register_globals turned off, everything falls over.

My question is this... Ho do I get around the problem? Or do I just turn on register_globals?

Many thanks for your input,

Scottie

[Dan]

I'm not too sure on this one. I just go and do what needs to be done. I've never encountered such a problem with register globals so it's hard to give an explanation.

[walkerasindave]

scottie2212, who are you accessing the data that is sent via POST?

With register_globals turned on all the variables sent via GET or POST (as well as others) are directly acessible as $foo.

e.g. visiting:
example.com/index.php?foo=bar

echo $foo;

This would return "bar".

So with register_globals turned on the variables are accessible easily but there is a security risk. If you don't initialise all your variables people could inject malicious values into them.

With register_globals turned off GET, POST (and the others) are only accessible via $_GET["foo"], $_POST["foo"], etc.

If the code is falling over with register_globals turned off then make sure there's no code that is relying on the variables ($foo) automatically being set.

[scottie2212]

Thanks for the reply,

I've done some more testing of this and clarified what is actually happening but I still don't know why or how to get around it.
This is a snippet of code from my logon page -

echo "test of name " . $_POST['name'];
if ($REQUEST_METHOD=="POST") {
$fooname = trim(strip_tags($_POST['name']));
echo "the name is $fooname";

With register globals turned on I see the output of both echo commands along with the variables but when it's turned off I only see output from the first with it's variable.
Obviously the $_POST['var'] is being passed but not the REQUEST_METHOD. I can't understand this because I though the $_POST was a part of the REQUEST_METHOD array.

If this makes it more understandable to you and you can help me resolve it I would be very grateful.

Scottie

[kev woodman]

$REQUEST_METHOD isn't an array AFAIK. Its part of the $_SERVER array and there isnt any guarantee that the variables in that array will always be present.

Why not just use :
if($_POST)
{
//blah blah
}

[scottie2212]

Thanks for that Kev, it makes more sense now.

I'm not certain that I can apply your suggestion to all my pages as some of them have numerous functions governed by the the value of $_POST['button_name'] but I will certainly go through them now and see if I can remove all the REQUEST_METHOD conditions.

At least I now have a point of attack.

Scottie.

[scottie2212]

Just an update.

Thanks to Kev's info, I've now got all my pages working with register_globals turned off and I have a better understanding of these things.

Thanks Kev

Scottie.

[kev woodman]

no problem fella - glad it all worked out

[walkerasindave]

Quote:

Originally Posted by kev woodman

Why not just use :
if($_POST)
{
//blah blah
}

Or a more desirable method would be:
if ($_SERVER['REQUEST_METHOD']=="POST")
{
//blah blah
}

I should have explained when I said "(as well as others)" I also meant the $_SERVER variables.

[scottie2212]

Thanks for the update Kev, (edited, Sorry Dave, I've never been any good with names)

That explains why I couldn't get the ip address logging to work. Now I can look at that again.

[kev woodman]

Would that be better Dave?

The elements of the $_SERVER array are dependent on the server so really you would have to check if REQUEST_METHOD is set and then check for its value.

What would be the advantage of accessing $_SERVER?

[Foddski]

On pages with forms I tend to use

Quote:

if ($_POST)//Detects a posting
{ $subject = stripslashes($_POST['subject']);}

So i don't set any variables until the form data is submitted.

[delboy]

You can emulate register globals as turned on by adding this to your .htaccess

php_flag register_globals on