Global fix

RedDragon

I created this fix for all php versions >= 4.2 so i can still use
$bla instead of $_post['bla']

$list = array($_COOKIE,$_ENV,$_FILES,$_GET,$HTTP_GET_VARS,$HTTP_POST_VARS,$_REQUEST,$_POST,$_SERVER,$_SESSION,$_SYSTEM);
foreach($list as $element) {
	if(!empty($element)) {
		if(is_array($element)) {
			extract($element);
		}
	}
}

the code works fine but i would like to know what you think of a solution as this
might there be any difficulties or does it slow down page processing?

ednark

a few things... by doing array you are making a copy of each list, then dumping their variables...

this will screw up your session, i don't think anything will be passed from page to page..

try making an array of references, or just use the $$ syntax like this

$list =  array( '_COOKIE', '_ENV', '_FILES' );
foreach($list as $element) {
  if( !empty($$element) && is_array($$element) ) {
        extract($$element);
    }
}

this should evaluater $$element into $COOKIE, then $ENV, then $_FILES, etc.

so you are getting at the actual variables, which should only matter for session and cookie and im not 100% sure, but doesn't REQUEST just hold whats in POST and GET, so you would be doubling up on those if you added all three...

RedDragon

thanks, i never had the idea that this is just duplicating these lists, and yeah your right... request contains post, get and cookie data so there is no need to extract it!

philipolson

If you require register_globals = on yet your host has it off, you should instead set it to on in .htaccess as opposed of hacking the behavior. And this sorta hack should NEVER be used for new code.

And this isn't a "fix for certain PHP versions" but rather it's a hack to sorta mimick the register_globals directive being on. register_globals is off by default as of PHP 4.2.0 but that's just a default. It can be on or off in any PHP 4+ version (it's always on in PHP 3) and in order to maintain backwards compatability for their clients, many hosts change this new default value since PHP 4.2.0 to be back on.

Here's another way to sorta mimick register_globals = on by polluting a script with tons of mostly unused variables:

// Do this ONLY if you must, never for new code!
if (!ini_get('register_globals')) {
     $types_to_register = array('GET','POST','COOKIE','SESSION','SERVER');
     foreach ($types_to_register as $type) {
         if (@count(${'HTTP_' . $type . '_VARS'}) > 0) {
             extract(${'HTTP_' . $type . '_VARS'}, EXTR_OVERWRITE);
         }
     }
 }

Back to .htaccess. If your host allows use of .htaccess then create (or modify) this file in your appropriate web directory with this line:

php_value register_globals 1

If you wonder what all this hoopla is about, and what the big deal is about register_globals, then read this manual page:
http://www.php.net/security.registerglobals

And to learn alternative (and preferred) ways for using external variables, read this:
http://www.php.net/variables.external

nickiehow

where did i put this code.

sidney

i may be wrong but is it not
php_flag for boolean
and
php_value for a value

so for register globals i think the htaccess should be
php_flag register_globals 0

philipolson

You're correct. Also, my hacked code is insecure...don't use it.