Is register_globals really that bad??

benwestgarth

Hi there,

I have always had register globals switched on, but the more I read these days the more I start to wonder whether this is wise. The problem as I see it is that if I go and turn it off I will have to spend the rest of my life recoding everything. I've read the stuff in the manual about it, but I want to know about the real life experiences of you PHPers. Can someone convince me to do it? Or convince me not to bother?

Cheers, Ben

philipolson

register_globals = on can make for a wonderful experience in PHP, having it off can too. register_globals = on makes it easier to write bad (aka insecure) code. The PHP community as a whole is moving towards it being off ... some developers want to deprecate (and eventually remove) the directive alltogether. If you want your scripts to work forever, use the superglobals and don't depend on register_globals being on. Make your new scripts not depend on it being on, it's very easy to write a script that isn't affected by register_globals.

ednark

the general problem with register_globals is that it will put into your webpage whatever is in GET.

example:

if your program expects some variable from POST, and it is not there, it will automatically look for it in GET. so if you have a script that handles a form... and i know where it is... i can force variables into it by directly accessing it in the address, which will not have a post associated with it so php will use whatever is in GET.

as philipolson suggested, this does not have to be insecure, but leaves the door open for the writing of insecure code by you in an unattentive moment.

as PHP is moving to be more and more legit, it wants to close the doors to things which make it more easily misused.

the_Igel

register_globals on doesn't mean much difference. The only thing to make your scripts as secure with reg_gl on as they would be with reg_gl off is to set initial values to all used variables. Since it's done, you have to worry about security same way woth OFF and ON.
Yes, with ON you can't distinguish GET and POST variables, but I think it doesn't mean any security problems; or, if it does, then you do something wrong. You can't rely on any external data anyway.

morphy_6deex

u can patch yr old scripts appending few lines and switching to register_globals to off

but thats a slow down and only a temporary solution: yr new script will have reg_glob=off!!!

hint to the patch (thats not the patch!)

foreach($_POST as $k => $v) $$k = $v;

just a patch... for old scripts... emulate reg_glob=on...