jandrews3 Posted September 19, 2009 Share Posted September 19, 2009 I think I've done a big booboo. My VPS has register globals on, and I've written all of my <form> coding such that the variables pass to the next page without hassle. I've moved one of my sites off of the VPS to another host who apparently doesn't have register globals on. I have to rewrite ALL the code to include $var = $_POST['var'] on any page receiving a form posting, don't I? Quote Link to comment https://forums.phpfreaks.com/topic/174797-_postvar/ Share on other sites More sharing options...
Zane Posted September 19, 2009 Share Posted September 19, 2009 yep, that's what you get for coding with register_globals on and exactly why it's bad practice... congratulations you've learned something first hand. you could always just put this at the top of every single script you have extract($_REQUEST); then it would be just as insecure as if your were using register_globals...although..only for those modified pages. Would be like a "register_globals" patch Quote Link to comment https://forums.phpfreaks.com/topic/174797-_postvar/#findComment-921184 Share on other sites More sharing options...
PFMaBiSmAd Posted September 19, 2009 Share Posted September 19, 2009 Considering that register_globals were turned off by default over 7 years ago in php4.2 and have been completely removed in php6; that any code, books, and tutorials that relied on them should have disappeared long ago (7 years in computer/programming time is like a couple of decades in human time); that all the older php programmers stopped using them several years ago; that any new php programmer should not even know how to write code that relies on them; I don't see what the issue is. You knew sooner or later that you would need to rewrite any code that relied on them to make it secure and make it work without register_globals being on. You have just reached the point where sooner or later met now. Quote Link to comment https://forums.phpfreaks.com/topic/174797-_postvar/#findComment-921193 Share on other sites More sharing options...
jandrews3 Posted September 19, 2009 Author Share Posted September 19, 2009 You enjoyed that, didn't you. Yes, I'm evil. I am irresponsible. I did know about this a couple years ago, I just didn't want to go in and add ALL THOSE LINES. Quote Link to comment https://forums.phpfreaks.com/topic/174797-_postvar/#findComment-921197 Share on other sites More sharing options...
Zane Posted September 19, 2009 Share Posted September 19, 2009 really... $var = $_POST['var'] should never really be used. all you're doing is making an exact copy of an already existing completely useful variable. Now something like $var = (!is_null($_POST['var'])) ? $_POST['var'] : null; I guess you could say that's acceptable since you're actually doing more than just copying the variable. $var then serves a purpose. Quote Link to comment https://forums.phpfreaks.com/topic/174797-_postvar/#findComment-921203 Share on other sites More sharing options...
PFMaBiSmAd Posted September 19, 2009 Share Posted September 19, 2009 You enjoyed that, didn't you. Actually, no, I don't enjoy writing about the same old problem over and over and over... We should not be seeing posts in php programming help forums 7 years after something was changed for security reasons where same name variables overwrite each other giving unexpected results or where external variables stop working simply because the code was moved from one server to another or scripts that are broken into because session variables can be changed by setting an external value. Quote Link to comment https://forums.phpfreaks.com/topic/174797-_postvar/#findComment-921211 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.