[RESOLVED] How? Safe alternative to extract($GLOBALS)

sherry

Hello.

What is a safe alternative for using extract($GLOBALS) with register_globals Off?

Also, what effect will there be since register_globals is deprecated in PHP v. 5.3?

Thanks.

bradgrafelman

sherry wrote:
What is a safe alternative for using extract($GLOBALS) with register_globals Off?

Simply don't do it. Use the new superglobals instead (man page: [man]variables.superglobals[/man]).

dagon

just use the array. although if your using $GLOBALS your probably doing something wrong

NogDog

The best solution is to simply not depend on register_globals at all, as mentioned above. If you are using a script that does depend on it and has been working fine, you can use the import_request_variables() function at the top of the script to essentially do the same thing as register_globals. It will not be any riskier than using register_globals in the first place (a risk which is actually very minimal except in certain weird cases where developer would use an uninitialized variable in some strange way that would be dangerous if it happened to have certain values that a malicious user could inject via a url query string or cookie). Of course, that's not to say that this old script is or is not a security hole without a thorough review -- at which point you might as well change it anyway -- but it won't be any worse that it already is if you use this function.

sherry

Thanks everyone for your replies.

I used extract($GLOBALS) so I can use the original form of the variables versus $GLOBALS['varname']. The vars I need are not within the other superglobals.

What is the alternative for use in functions, etc.?

Thanks.

dagon

there's no upside to using

$varname=$GLOBALS['varname'];

then using $varname, over just using $GLOBALS['varname']

the downside is waisted resources, and to my mind harder\slower to debug

sherry

Thanks for your reply, dagon.

What if before using extract($GLOBALS):

  unset $HTTP_SERVER_VARS['QUERY_STRING'];
  unset $_SERVER['QUERY_STRING'];

or something else?

As you can see, I'm trying to figure out a safer way to use extract($GLOBALS) if one exists.

Thanks.

EDIT: Also, why would using $GLOBALS['varname'] be safer?

sherry

CORRECTION:

  unset($HTTP_SERVER_VARS['QUERY_STRING']);
  unset($_SERVER['QUERY_STRING']);

bradgrafelman

Can you show us some real coding examples where you're trying to use this?

Extracting the $GLOBALS array seems strange because a) you're just going to be overwriting variables that already exist (assuming we're not talking about local scopes within a function/class method) with the values that they already hold, or b) extracting the contents of the $POST, $GET, etc. superglobal arrays which simply re-introduces the possibility of exploits caused by the highly deprecated register_globals directive (see manual page: [man]security.globals[/man]).

sherry

Thanks for your reply, bradgrafelman.

I was trying it only once as the first line inside of one function so I wouldn't have to use $GLOBALS['varname'] for quite a few variables everytime each one was needed. The vars I wanted from $GLOBALS were those not part of $POST, $GET et al. Therefore, its purpose was to bring quite a few variables into the namespace of that function using a single statement and be able to use the same format of each variable throughout.

Thanks.

bradgrafelman

sherry wrote:
its purpose was to bring quite a few variables into the namespace of that function using a single statement and be able to use the same format of each variable throughout.

In that case, you should either a) use the [man]global[/man] keyword to bring whichever global variable(s) you need into the function's scope, or b) pass the necessary data into the function as function arguments/parameters.

Note that 'b' is the more preferred/recommend option.

sherry

Thanks for your reply, bradgrafelman.

Historically, I've been using both a) and b). I was just trying to find a way so not having to list each var individually, especially when the numbers of vars start becoming numerous.

Even though I've read up on extract($GLOBALS), for whatever reason, I still don't get what the security holes are.

Q: What are the security holes of extract($GLOBALS) with register_globals OFF?

Thanks.

bradgrafelman

sherry wrote:
Q: What are the security holes of extract($GLOBALS) with register_globals OFF?

The same as if register_globals was On, since you're mimicking its behavior.

sherry

Oh... okay.

I'll mark this 'Thread Resolved.'

Thanks bradgrafelman.

NogDog

It sounds as if some of this might be a candidate for objectification, creating a class with the numerous variables in question being class variables, which can then be accessed within the class's methods via $this-> or $self:: as applicable (assuming there is a logical reason to group these functions and variables together into a single class).

sherry

Thanks NogDog.

I really like your suggestion for objectification.

(Also, see http://www.phpbuilder.com/board/showthread.php?t=10378148 )

Thanks much!