Page 1 of 2
forums have globals on, why?
Posted: Wed Sep 15, 2004 10:22 pm
by James M.
I was just wondering why every forum running on php I have seen has globals on yet they tell you that globals aren't secure and you should write your sciprts so that they do not require globals to be on?
Posted: Wed Sep 15, 2004 11:10 pm
by feyd
they were probably written back when globals were on be default...
Posted: Wed Sep 15, 2004 11:11 pm
by James M.
Have you seen a forum that doesnt use globals like this one?
Posted: Wed Sep 15, 2004 11:19 pm
by feyd
phpbb doesn't use register_globals.
Posted: Wed Sep 15, 2004 11:20 pm
by James M.
oh, then whats all that on the links?
Posted: Wed Sep 15, 2004 11:21 pm
by feyd
you mean the t= part in:
viewtopic.php?t=26053 ??
that's a url parameter, so it can find the topic you want to read.
Posted: Wed Sep 15, 2004 11:23 pm
by James M.
yea, i thought you could only do that with globals on. i should look into that for an early site i made that uses url parameters so i dont have 2 re-write everything
Posted: Wed Sep 15, 2004 11:23 pm
by markl999
Globals would be using $t in viewtopic.php as opposed to using $_GET['t']

Posted: Wed Sep 15, 2004 11:26 pm
by James M.
hehehe, i forgot all about using $_GET[]. makes sense now
Posted: Wed Sep 15, 2004 11:27 pm
by m3mn0n
Yeah, register_globals OFF doesn't mean you can't use the GET method. You just access it by $_GET, like mark stated.
The security improvement is if you use POST, you won't have people faking variables via GET and screwing with your site.
Posted: Wed Sep 15, 2004 11:34 pm
by James M.
Thanks, that makes my job so much easier. It takes so long to make work arounds.
Posted: Thu Sep 16, 2004 4:36 am
by dethron
And then using $_REQUEST[] is the same as using register_globals ON, in terms of security. Right?
Posted: Thu Sep 16, 2004 4:44 am
by timvw
imho it's not. because if you don't put anything yourself in $_REQUEST you know it's coming from the mean world
thus at least you know $nice_world exists

Posted: Thu Sep 16, 2004 5:25 am
by dethron

nice point

well, beside of this fact (that is mentioned by you.), is there any other advantage of using $_REQUEST instead of using register_globals ON?
Posted: Thu Sep 16, 2004 6:14 am
by John Cartwright
Yes there are several advantages, but the fact remains you should always code with register globals off.