whats wrong with globals on?
Moderator: General Moderators
-
Dark_Raider
- Forum Newbie
- Posts: 4
- Joined: Mon May 12, 2003 1:16 pm
whats wrong with globals on?
I've read that it's a big security issue to have register_globals on. I've also read that it doesn't matter. Does anybody really know why it should or should not be on?
- twigletmac
- Her Royal Site Adminness
- Posts: 5371
- Joined: Tue Apr 23, 2002 2:21 am
- Location: Essex, UK
The major problem with having register_globals on is that it's deprecated - i.e. it will not be available as an option in all future releases of PHP. Coding with register_globals off does not make a script inherently secure, neither does coding with it on make all scripts insecure.
Learning how to work with $_POST, $_GET, $_COOKIE et. al. will mean that your scripts will be future proof for some time and it will be obvious to you (and others) where variables are coming from. $id means nothing, $_POST['id'] means a variable coming from an HTTP POST action. You can also make it difficult for people to pass variables through the query string in the URL in order to overwrite other global variables by specifically indicating where the information should come from. However, there are still ways in which you can mimic the effect of register_globals (even with it off) and negate all the benefits of it being off. If you haven't already you should take a look at:
viewtopic.php?t=511
For the official story:
http://www.php.net/manual/en/tutorial.oldcode.php
http://www.php.net/manual/en/configurat ... er-globals
http://www.php.net/manual/en/security.r ... lobals.php
Mac
Learning how to work with $_POST, $_GET, $_COOKIE et. al. will mean that your scripts will be future proof for some time and it will be obvious to you (and others) where variables are coming from. $id means nothing, $_POST['id'] means a variable coming from an HTTP POST action. You can also make it difficult for people to pass variables through the query string in the URL in order to overwrite other global variables by specifically indicating where the information should come from. However, there are still ways in which you can mimic the effect of register_globals (even with it off) and negate all the benefits of it being off. If you haven't already you should take a look at:
viewtopic.php?t=511
For the official story:
http://www.php.net/manual/en/tutorial.oldcode.php
http://www.php.net/manual/en/configurat ... er-globals
http://www.php.net/manual/en/security.r ... lobals.php
Mac