global variables in classes?

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
mudkicker
Forum Contributor
Posts: 479
Joined: Wed Jul 09, 2003 6:11 pm
Location: Istanbul, TR
Contact:

global variables in classes?

Post by mudkicker »

can we use global variables in classes? :?: 8O
User avatar
JAM
DevNet Resident
Posts: 2101
Joined: Fri Aug 08, 2003 6:53 pm
Location: Sweden
Contact:

Post by JAM »

yah.. try:

Code: Select all

<?php
    $foo['bar'] = 'foo';

    class moo
    {
       function moo() 
      {
         echo $GLOBALS['foo']['bar'];
      }
    }

    $test = new moo;
?>
m3rajk
DevNet Resident
Posts: 1191
Joined: Mon Jun 02, 2003 3:37 pm

Post by m3rajk »

i suggest avoiding it. the change to have them default as off is a security thing
User avatar
mudkicker
Forum Contributor
Posts: 479
Joined: Wed Jul 09, 2003 6:11 pm
Location: Istanbul, TR
Contact:

Post by mudkicker »

thanks JAM.
m3rajk i can't get why it is unsecure? can you explain please?
m3rajk
DevNet Resident
Posts: 1191
Joined: Mon Jun 02, 2003 3:37 pm

Post by m3rajk »

there's more on http://php.net. i was looking at changes from the version i learned and the version i'm using to make a site and one of them was that. they explained it much better than i can as well as going into more things, than i can remmber. however i do remember them connecting it to regiseter globals

on top of that, unless you're hosting, you should be aware that as of... i think itwas 4.1.0, register globals defaults to off, so unless there's a specific reason for them to turn it on, chances are it's off. and since it affects super globals

i know register globals makes anything in EGCPS into a variable by default. now imagine if they're both on and something malicious is passed in get that overwrites something in your script that's a superglobal...

i know there's more to it, but it's better to use passing, and if you're talking about an included variable file, something i already found out, just include it IN the function. that was my way around it.
User avatar
Seth_[php.pl]
Forum Commoner
Posts: 30
Joined: Sun Aug 10, 2003 5:25 am
Location: Warsaw / Poland

Post by Seth_[php.pl] »

I can explain why.
for example:
You have two functions one to add 'a' letter to a string and another to check if exist an 'a' letter at the end of string (all using a GLOBAL values)

Code: Select all

function AddA()
{
  $GLOBALS['text'] .= 'a';
}


function CheckAExist()
{
  if ( substr( $GLOBALS['text'], -1 ) == 'a' )
  {
    print 'Error';
  }
}
And now you have a code that has a bug:

Code: Select all

$text = 'blabla';
...
if ( $b = 'v' ) // here is a bug =, should be ==
{
  AddA();
}
else
{
  die ('Finish');
}

CheckAExist();
Becouse of this ^^^ bug you execute function AddA and CheckAExist which will print 'Error'.

If you would pass $text as a parameter it wouldn't be changed in a global array... then next function wouldn't get $text changed.

It is one of examle why not to use globals but there is a lot of more.


____

I was writing this post when m3rajk already posted his :)
User avatar
nielsene
DevNet Resident
Posts: 1834
Joined: Fri Aug 16, 2002 8:57 am
Location: Watertown, MA

Post by nielsene »

Hmm using $GLOBALS is not more or less secure. This is NOT the register_globals issue. However, using GLOBALS is typically viewed as an example of poor design, expecially if their use is rather prevalent, and outside the use of Singleton pattern type uses.
McGruff
DevNet Master
Posts: 2893
Joined: Thu Jan 30, 2003 8:26 pm
Location: Glasgow, Scotland

Post by McGruff »

It might help to give a quick run-through of scope.

Class methods, like any function, have their own scope. The class itself has a a scope of a kind, ie all the $this->var class properties can be accessed in within any class method just by writing $this->var. Global variables can be accessed in any function - class method or not - by writing $GLOBALS['var'].

Register globals on isn't necessarily a security risk. Hacker vars don't actually do anything until they are referred to by name in the script. If your script declares $access_level = 'admin'; it would immediately overwrite a hacked value for the same var. Only undefined vars in a carelessly written script are vulnerable (if you develop with E_ALL error reporting, you can identify and fix any such). It's the combination of reg globs on and undefined vars which is dangerous.

The value of reg globs off is that it makes it clearer where vars are coming from - but it doesn't stop attempts at variable substitution or other nasties. The real security issue is to examine and/or process all user input (intval, htmlspecialchars/strip_tags, check vars against arrays of allowed values, escape strings before a db query, and so on).
User avatar
JAM
DevNet Resident
Posts: 2101
Joined: Fri Aug 08, 2003 6:53 pm
Location: Sweden
Contact:

Post by JAM »

I have not much experience with classes at all so to follow up on nielsene's comments i studied som more.

I didn't know of any other way before but using GLOBALS, but there are a couple of ways to bypass it...

Code: Select all

<?php
class xy
{
var $msg;

function xy($msg) {$this->msg=$msg;}

function do() 
          { echo $this->msg[10]; } //<- WORKS!
}
// assign $msg an array of 10 items...
$test=new xy($msg);
$test->do();
?>
those people familiar vith other coding languages (I think VB, ikk) you can think of the get and set functions in classes.

Try googling for it. ;)
Post Reply