register_globals = 'Off' advice

bunner_bob

I finally got around to turning register_globals "off" and of course am having to rewrite lots of code to make things work once again (if only I'd started that way in the first place...)

I'm figuring out most of it but still have a couple of questions:

I notice that when I enclose the bulk of my page inside
```
if (session_is_registered("this_user")) { 
//stuff 
}
```
the page still loads properly - i.e. I don't need to specify session_is_registered($SESSION['this_user']) or some such thing. This is nice, but is it supposed to work this way? I notice that to use $this_user elsewhere in the script I still have to define $this_user = $SESSION['this_user'], so it seemed strange that session_is_registered DIDN'T require that definition.
I used to have lots of $PHP_SELF in my links - now of course I have to redeclare them as $PHP_SELF = $_SERVER['PHP_SELF']. Anything wrong with just putting this line at the top of the page so I don't have to redo every one? It seems to work. And while I'm on it - anything wrong with using $PHP_SELF in general, or should I explicitly declare my URLs?
I have some conditions that sometimes are $GET[] and sometimes $POST[], depending on where the request came from. I'm using $_REQUEST[] for those instances - is this an increased security risk?

Thanks wizards!

diego25

That's fine. Maybe the function is using $_SESSION internally, and you just don't know it 🙂
It should be alright, but doesn't your text editor have a "Find and Replace" feature (look under Edit or Search menu)? If it doesn't, then change to another text editor...
Well, theoretically it increases the risk by a little bit, but practically it's no problem.

Diego

tomhath

Regarding #3, whether you use GET or POST the variable should be considered "tainted" until you have very carefully validated it. Since you are rewriting code anyway you might want to assign the validated data to diffferent (untainted) variables and only use the $REQUEST variables in your validation routines. It's better to be paranoid than sorry...

bunner_bob

Tomhath - can you clarify this for me:
"you might want to assign the validated data to diffferent (untainted) variables and only use the $REQUEST variables in your validation routines."

Are you saying I cango ahead and get variables via $REQUEST (or $POST or $GET), then validate them (I assume: to ensure they're the right kind of data - i.e. alphanumeric, numeric, right number of digits, etc.), then I should convert the result to another variable before inserting into the db?

Actually this brings up a question about validation. Most of my data validates fairly neatly - I can run preg_match on it and verify it's a phone number, email, date, time, etc. But there are a number of fields in my system that accept straight text - the story content of a news article, for instance. Any suggestions for a place to look for a good preg_match sequence to allow everything that might be in such a story but not allow harmful characters?

And that makes me think of magic quotes. Magic quotes are supposed to escape control characters that might make MySQL do things I don't want it to. Does it cover everything (i.e. I don't need to worry about what a user enters) or is there a list of characters I should disallow that magic quotes doesn't cover? I'm thinking square brackets, curly brackets, pipe character, etc...

Thanks!