Page 1 of 1

register_globals workaround

Posted: Thu Oct 04, 2007 7:46 pm
by flycast
First off - I understand the security implications of register_globals - please no lectures!

I have some forms that use variables that come in through the form. Rather than use $_REQUEST I think the stuff was written long ago and it uses $name instead.

I am using an environment that unsets globals so if I set "name" in the form it is not available in the script.

Is there a way that I could iterate through the $_REQUEST array and create a variable with the name of the key and the value? In other words...

When I encounter $_REQUEST['name'] I want to create a variable $name and give it the $_REQUEST['name'] value.

Possible?

Posted: Thu Oct 04, 2007 8:03 pm
by Christopher
For a little security, maybe something like this:

Code: Select all

// assume that you have unset all globals previously

// define regex filters
$expected = array(
     'name' => '/[^a-zA-Z\-\ ]/',
     'age' => '/[^0-9]/',
     'date' => '/[^0-9\/]/',
     );

// loop through expected params, filter value and assign to variable
foreach ($expected as $name => $regex) {
     if (isset($_REQUEST[$name]) {
          $$name = preg_replace($regex, '', $_REQUEST[$name]);
     }
}

Re: register_globals workaround

Posted: Fri Oct 05, 2007 3:30 am
by stereofrog
flycast wrote: When I encounter $_REQUEST['name'] I want to create a variable $name and give it the $_REQUEST['name'] value.

Code: Select all

extract($_REQUEST);

Re: register_globals workaround

Posted: Fri Oct 05, 2007 10:12 am
by John Cartwright
stereofrog wrote:
flycast wrote: When I encounter $_REQUEST['name'] I want to create a variable $name and give it the $_REQUEST['name'] value.

Code: Select all

extract($_REQUEST);
I know this is the simplest way to do this, but allowing the user to inject any variables into the script that arn't properly initialized may open up security holes. I'd stick with arborint's suggestion of white listing the variable names you want.

Posted: Fri Oct 05, 2007 11:02 am
by feyd
Why not fix the code to use proper superglobal values?