Security risk of setting variables global...
Posted: Sat Jul 04, 2009 3:37 am
Hi,
I am still fairly new to PHP and I have a question regarding what the security risks are of setting variables GLOBAL.
You hear here and there that it is a 'security risk' and that it is 'bad practice' but I have not found one article on the net that actually describes IN DETAIL why it poses a security risk and why it is bad practice.
Just to clear this up, I am aware that you should never set variables global that hold sensitive information...
Here is a simple example:
I have about 50 pages in a site that all make use of function test (defined below). Function test can use up to 5 variables - 3 are needed - the other 2 are optional depending on the page the function is called. As of right now the function looks like this...
function test($var1, $var2, $var3, $var4, $var5)
{
// do something
}
--> as u can see: we call the function and pass in 5 vars on all 50 pages...
Now, if the needed functionality might change in the future, and therefore the vars passed in, I would have to rewrite the code on ALL 50 pages...
So I thought to change the function to this:
function test()
{
global $var1;
global $var2;
global $var3;
global $var4;
global $var5;
// do something
}
calling the function then on all 50 pages without the need to pass in vars would make this setup very FLEXIBLE for future changes, as I would just change the number of vars needed inside the function...
Coming back to my original question, what would be the security risk and why would this be 'bad practice' ? I am trying to come up with a solution that is as FLEXIBLE as possible...
Note: all vars used in the function DO NOT hold any sensitive data...
Thanx for your help in advance !!!
- M
I am still fairly new to PHP and I have a question regarding what the security risks are of setting variables GLOBAL.
You hear here and there that it is a 'security risk' and that it is 'bad practice' but I have not found one article on the net that actually describes IN DETAIL why it poses a security risk and why it is bad practice.
Just to clear this up, I am aware that you should never set variables global that hold sensitive information...
Here is a simple example:
I have about 50 pages in a site that all make use of function test (defined below). Function test can use up to 5 variables - 3 are needed - the other 2 are optional depending on the page the function is called. As of right now the function looks like this...
function test($var1, $var2, $var3, $var4, $var5)
{
// do something
}
--> as u can see: we call the function and pass in 5 vars on all 50 pages...
Now, if the needed functionality might change in the future, and therefore the vars passed in, I would have to rewrite the code on ALL 50 pages...
So I thought to change the function to this:
function test()
{
global $var1;
global $var2;
global $var3;
global $var4;
global $var5;
// do something
}
calling the function then on all 50 pages without the need to pass in vars would make this setup very FLEXIBLE for future changes, as I would just change the number of vars needed inside the function...
Coming back to my original question, what would be the security risk and why would this be 'bad practice' ? I am trying to come up with a solution that is as FLEXIBLE as possible...
Note: all vars used in the function DO NOT hold any sensitive data...
Thanx for your help in advance !!!
- M