register_globals workaround

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
flycast
Forum Commoner
Posts: 37
Joined: Wed Jun 01, 2005 7:33 pm

register_globals workaround

Post by flycast »

First off - I understand the security implications of register_globals - please no lectures!

I have some forms that use variables that come in through the form. Rather than use $_REQUEST I think the stuff was written long ago and it uses $name instead.

I am using an environment that unsets globals so if I set "name" in the form it is not available in the script.

Is there a way that I could iterate through the $_REQUEST array and create a variable with the name of the key and the value? In other words...

When I encounter $_REQUEST['name'] I want to create a variable $name and give it the $_REQUEST['name'] value.

Possible?
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Post by Christopher »

For a little security, maybe something like this:

Code: Select all

// assume that you have unset all globals previously

// define regex filters
$expected = array(
     'name' => '/[^a-zA-Z\-\ ]/',
     'age' => '/[^0-9]/',
     'date' => '/[^0-9\/]/',
     );

// loop through expected params, filter value and assign to variable
foreach ($expected as $name => $regex) {
     if (isset($_REQUEST[$name]) {
          $$name = preg_replace($regex, '', $_REQUEST[$name]);
     }
}
(#10850)
User avatar
stereofrog
Forum Contributor
Posts: 386
Joined: Mon Dec 04, 2006 6:10 am

Re: register_globals workaround

Post by stereofrog »

flycast wrote: When I encounter $_REQUEST['name'] I want to create a variable $name and give it the $_REQUEST['name'] value.

Code: Select all

extract($_REQUEST);
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Re: register_globals workaround

Post by John Cartwright »

stereofrog wrote:
flycast wrote: When I encounter $_REQUEST['name'] I want to create a variable $name and give it the $_REQUEST['name'] value.

Code: Select all

extract($_REQUEST);
I know this is the simplest way to do this, but allowing the user to inject any variables into the script that arn't properly initialized may open up security holes. I'd stick with arborint's suggestion of white listing the variable names you want.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Why not fix the code to use proper superglobal values?
Post Reply