Problems with global variables in PHP

[Xu Wei Jie]

Hi all,

Anyone have problems with global variables in PHP? Thanks

What are the issues in using them?

[premiso]

In what context are they being used? There are correct ways to use globals and incorrect ways.

 

Maybe a code example will help clear up what your intentions are.

[Xu Wei Jie]

<?php

function ab()

{

    global $a;

    $a=2+2;

}

 

ab();

echo $a;

?>

 

what could be the contexts that a global variable can be wrongfully used?

My concern of a global variable is that it may get changed almost anywhere in different php files and will be hard to track.

[premiso]

Well making a variable global, when it should be passed as a parameter is one of the contexts. In a function like the above, I would pass $a as a parameter since it is required.

 

Given what you stated, that any file can change what the value might be, sounds like a poor design. You should really use unique variable names and keep them inline so you are not guessing what is being passed.

 

With that example, you would be using them in the wrong context, that is my outlook at least.

[blintas]

Understood you are just trying to understand in general, but maybe you should post your actual script so we can suggest some more viable solutions. Global variables are not always the answer!

[Xu Wei Jie]

<?php

 

$module = array("Staff","Project");

$modeofaction = array("create","copy","edit");

 

$m="";

$ma="";

 

for($i=0;$i<count($module);$i++)

{

$m = $module[$i];

for($j=0;$j<count($modeofaction);$j++)

{

$ma = $modeofaction[$j];

editable_form();

}

}

 

function editable_form()

{

global $m;

global $ma;

 

if($ma=="create")

{

$editable_title = "New $m";

$editable_message = "Please enter the $m data";

$editable_action = $ma;

$editable_nextAction = "confirmNewInstance";

}

else if($ma=="copy")

{

$editable_title = "Copying $m";

$editable_message = "Please modify the $m data";

$editable_action = $ma;

$editable_nextAction = "confirmCopy";

}

else if($ma=="edit")

{

$editable_title = "Edit $m";

$editable_message = "Please edit the $m data";

$editable_action = $ma;

$editable_nextAction = "confirmEdit";

}

 

if (!file_exists("src2"))

mkdir("src2");

 

$myFile = "src2/".$ma.$m."View.php";

$fh = fopen($myFile, 'w') or die("can't open file");

//editable details.........

fclose($fh);

 

}

 

?>

 

This is my script. Why should I pass in as a parameter when it can be declared global? From the scripts I googled, global variables are used the way I coded it. Have I missed out on any implications that a global variable might cause problems?

[blintas]

Do you have register_globals set to ON in your php.ini / .htaccess?

[Xu Wei Jie]

It is off ^.^

[blintas]

...turn it on? 

[premiso]

...turn it on? 

 

Wow dude. That is the worst advice ever.

 

Do not turn on register_globals. Horrible horrible advice. This is being removed in PHP 6 and is depreciated in PHP 5  and turned off by default as of PHP 4.2 (thanks pf) due to security issues.

 

register_globals read there for more information on the security risks etc.

 

EDIT:

This is my script. Why should I pass in as a parameter when it can be declared global? From the scripts I googled, global variables are used the way I coded it. Have I missed out on any implications that a global variable might cause problems?

 

Just because a script is on google does not mean it is coded correct.

 

You should pass that in as a parameter, because it is A the same amount of code or less, and B that way you know what is being passed and you are not second guessing whether that is being changed by another script. Read up on function do not be afraid to pass something as a parameter, that is what functions are meant to do.

[Xu Wei Jie]

I have turned it on and ran the code again. Does it have a difference?

[PFMaBiSmAd]

register_globals were actually turned off by default in php4.2 in the year 2002.

[premiso]

I have turned it on and ran the code again. Does it have a difference?

 

Not in the sense you are using it. I highly suggest turning it off.

 

Register_globals takes data such as $_GET, $_POST and session and cookies and instead of them being an array they are now $variable. This is bad because most people do not fully understand that if you have a session that contains "loggedin" and if that value is true the user is logged in. Given that without proper checks, anyone can pass $loggedin via Get and be considered logged in.

 

That is the short version, do not turn it on. Leave it off. This has nothing to do with your question.

[patsfans]

I have turned it on and ran the code again. Does it have a difference?

 

Not in the sense you are using it. I highly suggest turning it off.

 

Register_globals takes data such as $_GET, $_POST and session and cookies and instead of them being an array they are now $variable. This is bad because most people do not fully understand that if you have a session that contains "loggedin" and if that value is true the user is logged in. Given that without proper checks, anyone can pass $loggedin via Get and be considered logged in.

 

That is the short version, do not turn it on. Leave it off. This has nothing to do with your question.

 

Agreed, and if you absolutely have to use it, place a .htaccess file in the main directory of your domain to enable it so that it's not enabled server wide.  If you're on a shared account and don't have control of those settings that's the easiest solution.  But use it as a temporary one until you convert your code over.