[SOLVED] register_globals off

[Brian W]

How do I get the functionality of register_globals on when its off (or gone in php6)?

 

<?php
error_reporting(E_ALL);
$global = array();	
if(is_array($_ENV)){ $global = array_merge($global, $_ENV); }
if(is_array($_GET)){ $global = array_merge($global, $_GET); }
if(is_array($_POST)){ $global = array_merge($global, $_POST); }
if(is_array($_COOKIE)){ $global = array_merge($global, $_COOKIE); }
if(is_array($_SERVER)){ $global = array_merge($global, $_SERVER); }
if(isset($_SESSION) && is_array($_SESSION)){ $global = array_merge($global, $_SESSION); }
//if(is_array($_REQUEST)){ $global = array_merge($lobal, $_REQUEST); }
//if(is_array($_FILES)){ $global = array_merge($global, $_FILES); }

foreach($global as $varname => $value){
$$varname = $value;
//echo $varname." = ". $value."<br>"; 		//For testing, uncomment to see full list.
}
?>

But that doesn't work, so I'm missing some part of what register_globals does.

Please lend me your 2 cents on this one, I'd appreciate it.

If u need to know why, read below... buts its lengthy and I'll tell you now, I hate register_globals as much as u...

 

 

I had a non-profit come to me wanting to hire me to fix their phpwiki (phpwiki no longer provides support, their site is having the same problem the non-profit was having).

The problem happened when their shared host upgraded to php 5. I messed with it for a while and found that they were dependent on register_globals being on, so I turned it back on in the htaccess and told em that it was fixed for now but the problem would happen again when the host changed the server to php6 and it wouldn't be fixable as is.

So, still working for free, I decided I'd try removing their dependence on register_globals on but php wiki is not a simple application to grasp my mind around, it was poorly built, and I don't want to put much more free time into this (as I don't want to charge them). So, best way to fix it at the moment till they can afford to have me build the site from scratch is to make it act like register_globals is on without it being on.

[printf]

register_globals ON means that a variable is accessible by it's name $variable, register_globals OFF means that the $variable can only be accessed by it's registered global name, $_POST['variable'] if by method POST, or $_GET['variable'] if by method GET, $_SESSION['variable'] if variable is a member of the registered SESSION, and so on.....

 

The SUPER GLOBAL $GLOBALS will contain all the variables that exist in all the other registered globals!

 

 

[PFMaBiSmAd]

What version of phpwiki? The change log indicates support for register_globals off and register_long_arrays off.

 

There are also three functions that are dependent on register_globals and need to be converted to use $_SESSION variables - session_register(), session_is_registered(), and session_unregister()

 

Edit: searching through the current phpwiki files does not show any reference to sessions.

[Brian W]

A folder in the root directory is called "phpwiki-1.3.9"... there is even notes scattered around the code that suggests that they thought they'd patched it to work without register_globals, this site is proof it needs to be on to work as is. Possibly php wiki was abandoned because it would be easier to rebuild that to patch it further (there is a ridicules amount of repeat coding and code overwrites other code for being OOP)?

I'm haven't found really anything to suggest that this installation is even trying to use sessions besides that when I state session_start() at the begging of everything, it feeds me an error that somewhere else in the code the session is attempting to be initialized, but they don't seem to use it regardless. Here is my latest attempt:

<?php
error_reporting(E_ALL);
//I have it echo out the variable names and values for testing reasons.
echo "<!-- ";
if(isset($_GET['display'])){ header('Content-type: text/plain'); }
function reg_array($array, $del = ""){
$key = "";
$value = "";
if(is_array($array)){
	foreach($array as $key => $value){
		$key = ltrim(rtrim($key, "]"), "[");

		if(!is_array($value) || $key = 'GLOBALS'){

			global $$key;
			$$key = $value;
			echo $del.$key." = ".$value."\n";

		} else {

			echo $del.$key." value is array\n";
			reg_array($value, $del."	");

			}
		}
	}
return true;
}

reg_array($GLOBALS);
echo " -->";
?>

That seems to be striking a cord with phpwiki, I get several error messages.

Notice: Use of undefined constant DEBUG - assumed 'DEBUG' in /public/vhost/p/pbs/html/pbswiki/lib/ErrorManager.php on line 592

 

Notice: Use of undefined constant _DEBUG_VERBOSE - assumed '_DEBUG_VERBOSE' in /public/vhost/p/pbs/html/pbswiki/lib/ErrorManager.php on line 592

 

lib/prepend.php:138: Notice[8]: Undefined variable: ErrorManager

 

Fatal error: Call to a member function setPostponedErrorMask() on a non-object in /public/vhost/p/pbs/html/pbswiki/lib/prepend.php on line 138

The same errors occur with or without register_globals being on.

[PFMaBiSmAd]

My comments above were based on the 1.2 stable version.

 

Since the 1.3 branch was probably developed after 2002 when register globals were turned off, it is likely that the problems are due to something else that is just php configuration specific or one of the minor differences between php4 and php5. What exactly is the problem?

 

Edit: 1.3.9 was apparently released on 2004-04-12. They are currently at 1.3.14. Perhaps whatever problem you are having has been fixed in the latest 1.3 version.

[Brian W]

When register_globals is off, they get a white screen, no html output whatsoever.

When register_globals is on, site works almost as good as it did before the servers update.

Those problems include that the users are not being authenticated correctly, they must log in every time they do any action (edit, upload, ect)

I don't mean to make this a 3rd party application issue and have the subject bumped, so if you're a mod reading this, please don't move it; I'm just trying to learn what register_globals does (any possibly discuss the differences in php version 4 and 5)

[PFMaBiSmAd]

Register globals magically cross populated program/POST/GET/FILES/COOKIE/SESSION/SERVER/ENV variables sharing the same name.

 

For example $_SERVER['PHP_SELF'] produced a program variable $PHP_SELF, $_POST['name'] produced a program variable $name

 

I believe for uploads $_FILES['userfile']['size'] ended up mapped to a program variable like $userfile_size (similar for name, temp_name, error...)

 

Because same name variables overwrite based on the order in which php "registers" the variables, you will see variables with unexplained values when you add something with a name that is already being used and this also allowed hackers to set session variables to any value they wanted by using POST/GET/COOKIE variables to set the SESSION variables.

 

If you have added code that extracts all the post/get/cookie/session/server/env variables into program variables you could be inadvertently overwriting something. Was that code already there or is it something you added?

 

Edit: This link lists the differences between php4 and 5 - http://us3.php.net/manual/en/migration5.php The backward incompatible change link is where most of the issues would be (the other things like using a keyword that is now part of php5 would show up as an error.)

[Brian W]

thats what I have now, $_GET['id']=5 becomes $id = 5.

I added the code in order to try removing their dependency on register_globals... but its not, that is what I'm worried about. With the function I posted last, I cant change the priorities of the superglobal being made into variables by using "variable variable". The code I posted first I can change the order of the array mergings to prioritise the superglobals.

But, neither function has managed to return anything that even remotely fixes the register_globals thing.

 

[Brian W]

I began comparing the differences of what was in the array $GLOBALS when reg_globs was on and when it was off.

_ENV and _SERVER is not included in $GLOBALS when reg_globs is off and also a few other dozen things are not returned.

[Brian W]

Okay, so I went back to the first code I devised and moved the _ENV array to a higher priority and walla, it acts just like register_globals on.

Thanks everyone for helping me out on that. I really appreciate the responses. This will save them some money till they can afford to have the site rebuilt.

[PFMaBiSmAd]

There is an auto_globals_jit setting -

 

auto_globals_jit boolean

When enabled, the SERVER and ENV variables are created when they're first used (Just In Time) instead of when the script starts. If these variables are not used within a script, having this directive on will result in a performance gain.

 

Edit: Note to php.net, all the lazy-way shortcuts put into the php language have probably cost three orders of magnitude more in lost troubleshooting time then they ever saved in programmer's typing time.

 

[printf]

You can also just use array_merge(), it makes it easier that way. Lots of times you don't know what environments will be loaded on different systems using PHP as module or a CGI binary, so you merge the environments into $_SERVER or whatever super global you want them in. That way you don't have to check if they are in different super globals!

 

example...

 

// all the variables that exist in $_ENV and don't exit in $_SERVER will be placed into $_SERVER

$_SERVER = array_merge ( $_SERVER, $_ENV );

[Brian W]

Thanks, I'll look into auto_globals_jit.

Here is what I ended up with:

<?php
//error_reporting(E_ALL);		//Its a good idea to have this stated when testing.
$global = array();				//Declare $global as an array first.

/*
The below combines the superglobals into one array called $globals
Note:
* comment out arrays that you do not want to register.
* move the lines up for lower priority. if $_GET comes first, $_GET['id'] will overwrite $_POST['id']
*/

if(is_array($_GET)){ $global = array_merge($global, $_GET); }
if(is_array($_POST)){ $global = array_merge($global, $_POST); }
if(is_array($_ENV)){ $global = array_merge($global, $_ENV); }
if(is_array($_COOKIE)){ $global = array_merge($global, $_COOKIE); }
if(is_array($_SERVER)){ $global = array_merge($global, $_SERVER); }
if(isset($_SESSION) && is_array($_SESSION)){ $global = array_merge($global, $_SESSION); }
//if(is_array($_REQUEST)){ $global = array_merge($lobal, $_REQUEST); }
//if(is_array($_FILES)){ $global = array_merge($global, $_FILES); }

foreach($global as $varname => $value){
global $$varname;
$$varname = $value;
//echo $varname." = ". $value."\n"; 		//For testing, uncomment to see full list.
}
?>

The commented text is for if someone else does any work on their site. They have another guy who knows a little php and he usually fixes their problems.