Register-Globals convert

kkiedrowski

I am new to php [in terms of trying to modify code]
I realise that having globals on is a security rish and of course I want to have it off.
However, some of the opensource code I am testing requires it to be on [old code]
I know it will be a large amount of work a re-write but I also figure it is a good way for me to learn.
In searching I have found that I need to change how the variables are collected, but in the code what shold I be looking for? Is there specific syntax for the way variables that require globals are setup?

tikal

Not 100% sure exactly what your question is, so I hope the following helps...

One example is here

<manual snip>
register_globals boolean
Tells whether or not to register the EGPCS (Environment, GET, POST, Cookie, Server) variables as global variables. For example; if register_globals = on, the url http://www.example.com/test.php?id=3 will produce $id. Or, $DOCUMENT_ROOT from $SERVER['DOCUMENT_ROOT']. You may want to turn this off if you don't want to clutter your scripts' global scope with user data. As of PHP » 4.2.0, this directive defaults to off. It's preferred to go through PHP Predefined Variables instead, such as the superglobals: $ENV, $GET, $POST, $COOKIE, and $SERVER. Please read the security chapter on Using register_globals for related information.

Please note that register_globals cannot be set at runtime (ini_set()). Although, you can use .htaccess if your host allows it as described above. An example .htaccess entry: php_flag register_globals on.

</snip>

I'm not an expert, but as I understand the subject detecting the code will be difficult as (in the above example) the GET data in the url will just appear as $id in your code, as opposed to $_GET['id'] ie the GET data variable look like any other variables in the code.

If you haven't done so I recommend you download the enhanced CHM php Manual from php.net

I found this user comment which may be of help to you:

alexsp at olywa dot net (03-May-2003 01:26)

For those of us who don't have the luxery of upgrading to the latest version of PHP on all of the servers we use but want to use the same variable names that are used in the latest version for super global arrays here's a snippet of code that will help:
// Makes available those super global arrays that are made available
// in versions of PHP after v4.1.0.
if (isset ($HTTP_SERVER_VARS))
{
$_SERVER = &$HTTP_SERVER_VARS;
}

if (isset ($HTTP_GET_VARS))
{
$_GET = &$HTTP_GET_VARS;
}

if (isset ($HTTP_POST_VARS))
{
$_POST = &$HTTP_POST_VARS;
}

if (isset ($HTTP_COOKIE_VARS))
{
$_COOKIE = &$HTTP_COOKIE_VARS;
}

if (isset ($HTTP_POST_FILES))
{
$_FILES = &$HTTP_POST_FILES;
}

if (isset ($HTTP_ENV_VARS))
{
$_ENV = &$HTTP_ENV_VARS;
}

if (isset ($HTTP_SESSION_VARS))
{
$_SESSION = &$HTTP_SESSION_VARS;
}
The only downfall to this is that there's no way to make them super global. Chances are, though, if you're using a lot of global arrays in your code you should consider a code redesign! 🙂 Hope this helps.

For your sake I hope they used meaningful variable names!

kkiedrowski

Oh boy!
I think I am in for some fun.
YEah I just needed to know how to convert to code so I can set register_globals to off