Page 1 of 1

global variables in classes?

Posted: Sun Aug 10, 2003 2:46 am
by mudkicker
can we use global variables in classes? :?: 8O

Posted: Sun Aug 10, 2003 4:29 am
by JAM
yah.. try:

Code: Select all

<?php
    $foo['bar'] = 'foo';

    class moo
    {
       function moo() 
      {
         echo $GLOBALS['foo']['bar'];
      }
    }

    $test = new moo;
?>

Posted: Sun Aug 10, 2003 3:18 pm
by m3rajk
i suggest avoiding it. the change to have them default as off is a security thing

Posted: Sun Aug 10, 2003 4:08 pm
by mudkicker
thanks JAM.
m3rajk i can't get why it is unsecure? can you explain please?

Posted: Sun Aug 10, 2003 4:34 pm
by m3rajk
there's more on http://php.net. i was looking at changes from the version i learned and the version i'm using to make a site and one of them was that. they explained it much better than i can as well as going into more things, than i can remmber. however i do remember them connecting it to regiseter globals

on top of that, unless you're hosting, you should be aware that as of... i think itwas 4.1.0, register globals defaults to off, so unless there's a specific reason for them to turn it on, chances are it's off. and since it affects super globals

i know register globals makes anything in EGCPS into a variable by default. now imagine if they're both on and something malicious is passed in get that overwrites something in your script that's a superglobal...

i know there's more to it, but it's better to use passing, and if you're talking about an included variable file, something i already found out, just include it IN the function. that was my way around it.

Posted: Sun Aug 10, 2003 4:38 pm
by Seth_[php.pl]
I can explain why.
for example:
You have two functions one to add 'a' letter to a string and another to check if exist an 'a' letter at the end of string (all using a GLOBAL values)

Code: Select all

function AddA()
{
  $GLOBALS['text'] .= 'a';
}


function CheckAExist()
{
  if ( substr( $GLOBALS['text'], -1 ) == 'a' )
  {
    print 'Error';
  }
}
And now you have a code that has a bug:

Code: Select all

$text = 'blabla';
...
if ( $b = 'v' ) // here is a bug =, should be ==
{
  AddA();
}
else
{
  die ('Finish');
}

CheckAExist();
Becouse of this ^^^ bug you execute function AddA and CheckAExist which will print 'Error'.

If you would pass $text as a parameter it wouldn't be changed in a global array... then next function wouldn't get $text changed.

It is one of examle why not to use globals but there is a lot of more.


____

I was writing this post when m3rajk already posted his :)

Posted: Sun Aug 10, 2003 6:02 pm
by nielsene
Hmm using $GLOBALS is not more or less secure. This is NOT the register_globals issue. However, using GLOBALS is typically viewed as an example of poor design, expecially if their use is rather prevalent, and outside the use of Singleton pattern type uses.

Posted: Sun Aug 10, 2003 7:10 pm
by McGruff
It might help to give a quick run-through of scope.

Class methods, like any function, have their own scope. The class itself has a a scope of a kind, ie all the $this->var class properties can be accessed in within any class method just by writing $this->var. Global variables can be accessed in any function - class method or not - by writing $GLOBALS['var'].

Register globals on isn't necessarily a security risk. Hacker vars don't actually do anything until they are referred to by name in the script. If your script declares $access_level = 'admin'; it would immediately overwrite a hacked value for the same var. Only undefined vars in a carelessly written script are vulnerable (if you develop with E_ALL error reporting, you can identify and fix any such). It's the combination of reg globs on and undefined vars which is dangerous.

The value of reg globs off is that it makes it clearer where vars are coming from - but it doesn't stop attempts at variable substitution or other nasties. The real security issue is to examine and/or process all user input (intval, htmlspecialchars/strip_tags, check vars against arrays of allowed values, escape strings before a db query, and so on).

Posted: Mon Aug 11, 2003 12:18 am
by JAM
I have not much experience with classes at all so to follow up on nielsene's comments i studied som more.

I didn't know of any other way before but using GLOBALS, but there are a couple of ways to bypass it...

Code: Select all

<?php
class xy
{
var $msg;

function xy($msg) {$this->msg=$msg;}

function do() 
          { echo $this->msg[10]; } //<- WORKS!
}
// assign $msg an array of 10 items...
$test=new xy($msg);
$test->do();
?>
those people familiar vith other coding languages (I think VB, ikk) you can think of the get and set functions in classes.

Try googling for it. ;)