Using Register Globals

WebHorn

I've been reading about the new register_globals setting in the PHP docs and want to spark some discussion about why the change was set in place and best practices to code to the standard...

It seems like ultimately it's WHAT you do w/ the form data that will determine how secure your script is...if you do a work around like extract($POST); or even $foo = $POST["foo"]; w/o testing the data you're gone.

The big advantage of turning register_globals off is that it prevents a black hat from hijacking an internal script variable ... like

<?php
if($action == "new")
{
$header = "All Right!";
$body = "blah...";
mail(...............);
}
?>

blackhat could w/ register_globals on do:

http://myurl.com/foo.php?action=new&header=You%20Suck&body=My%20Big%20Fat%20Rooster

although in this case they'd be overwritten. But a script w/ file access could be vulnerable. So basically you're shuffling these post/get/server/env vars into a temp array for you to pull on an as-needed basis. But I see no benefit beyond that - this change doesn't make things "secure" by itself, as some think.

the_Igel

Nothing in the world is secure by itself. Just when you turn off your register globals, you have to think what data you use and where it comes from. No magic, just some sense.

rrijnders

I have never had a problem with register_globals set to ON. If the var is a script var, I would never use it without initializing it to a known value first. If the var comes from outside the script, I don't trust it and validate the data. In that case, I don't care if it came from $GET or $POST, I am going to make sure the values are valid, or the form gets re-displayed or a default page displays or an error page displays.

I have never bought into the argument for turning register_globals off. Write good code and you won't have to worry about it. Just my $.02 (US)

Weedpacket

I understand that there is also a performance benefit to turning register_globals off, in that the time doesn't have to be taken to extract($GET); extract($POST) etc. on every single PHP page (which it would do whether that page is supposed to be receiving form input or not).

I've never experimented with this claim myself, however. As for security; well, PHP will (if the error-reporting level is set high enough) warn you if you use an uninitialised variable at any stage; so if you pay attention to those warnings you wouldn't get random variables in your pages being set to random values by people chucking ?foo=bar into the URL whenever they see a ".php" extension.

But I do find it helps for self-documentation purposes - "where the hell did that come from?"

kutucape

In fact, register global set to off is recommended to increase security, because we don't know where the variables come frrom.
Variabel may come from another way and maybe contains evil data.

Notice this example:

echo '<a href=view.php?file=foo.inc>Something</a>'

then when we click that link the view.php will do below:

include ($file);

so, consider if someone put the url like this:
view.php?file=/etc/passwd ?

if we carefull, and the register global set to off, we will write code like this:

include ($_GET['file']);

But, it's better if we check that input first. It will make us sure the data is correct and come from the right source. It makes our script better and more? secure.

Please your comment...

the_Igel

in fact, register globals off doesn't much help to the script author. Rather, it makes the whole server more secure, protecting it from poorly written scripts.
If i always check any external data and set initial value to internal, i neither win nor lose anything from register globals. And if i don't care about checking user input, then reg. gl. can't help me much. It cn prevent some hacks, but in case i assign

$foo = $_GET['foo'];

without any checks, no configuration options can protect my script.

stuartc1

I dont really use these Globals that mush either, but I do think it could be useful for script clarity.
Say you start a new job or are assigned to update someone elses PHP script, and instead of spending countless days trying to find out were variables have come from, you will at least have a better idea that some variables are from forms and others are session etc, it might just save a few hours work !!.
Im sure this is just pure theory though.
just a thought.....

Weedpacket

$_GET['varname'] will work whether register_globals is turned on or not, so that's one less configuration detail you don't have to worry about.

Oh, your host still uses PHP4.0.6? Oh, all right. Global search-and-replace $_GET => $HTTP_GET_VARS. Just need to worry about functions, then. All right: global $HTTP_GET_VARS;. No sweat.