Globals

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
Pyrite
Forum Regular
Posts: 769
Joined: Tue Sep 23, 2003 11:07 pm
Location: The Republic of Texas
Contact:

Globals

Post by Pyrite »

I've heard from various places that using register globals to on is bad or insecure, but what I am wanting to know is how bad or insecure it really is? I'm not asking to teach how to hack or anything, but I'd like to know how insecure it is so that I can decide if it really is insecure for my special situations. Cause currently, I use register globals to on in all my scripts, cause it is just easy.

Also, suppose I do turn it off. Will I still be able to pass php variables to scripts like this

Code: Select all

<a href="myscript.php?pie=".$phpvarpie.">go here</a>
And also, if I turn it off, can I still access form variables some how? Like I call a script called foo.php as the action in my form using post. Will the form elements still be accessible in foo.php as variables somehow?

Thanks.
User avatar
twigletmac
Her Royal Site Adminness
Posts: 5371
Joined: Tue Apr 23, 2002 2:21 am
Location: Essex, UK

Re: Globals

Post by twigletmac »

Pyrite wrote:I've heard from various places that using register globals to on is bad or insecure, but what I am wanting to know is how bad or insecure it really is? I'm not asking to teach how to hack or anything, but I'd like to know how insecure it is so that I can decide if it really is insecure for my special situations. Cause currently, I use register globals to on in all my scripts, cause it is just easy.
It's easy, but it's deprecated, that means that you won't have the option in later versions of PHP and will have to code for register_globals off.
Have a look at the following page for examples of security issues:
http://php.net/register_globals
Pyrite wrote:Also, suppose I do turn it off. Will I still be able to pass php variables to scripts like this

Code: Select all

<a href="myscript.php?pie=".$phpvarpie.">go here</a>
Yes you can, however, you won't be able to use $pie to get the data initially, you will have to use $_GET['pie'].
Pyrite wrote:And also, if I turn it off, can I still access form variables some how? Like I call a script called foo.php as the action in my form using post. Will the form elements still be accessible in foo.php as variables somehow?
Yes they will, they will all be stored in the $_POST array.

For more information see:
Concerning Passing Variables in PHP 4.2+
Post Reply