register_globals

[kobel4k3r5]

Hi, I'm new here but anyways, I need some help. I'm not sure how register_globals work exactly.

If I'm correct, when register_globals is on, passing a variable in the URL will default it to that example:

http://www.mywebsite.com/?id=4 will make the $id set to 4. But does can users input $_POST variables or $_SESSION variables through the URL also? Because I have a website that is like http://www.mywebsite.com/profile.php?id=65 and changing the id to another number goes to their profile.php page, and if they would do the same just for the login page, would $_POST datas be catched? like...

http://www.mywebsite.com/login.php?username=billy&password=bob

[PigsHidePies]

I recommend register_globals=off,  use sessions and by default it will use cookies or if need be, a URL with the SID in it but basically it is much more secure than having the username/password sent over the URL in plain text. I recommend avoiding that at all costs. The difference between the two types of variable retrieval is that POST does not go over the URL wheras GET does. Generally it is more widely used for sensitive information. GET is good for things that aren't that important/can't cause that much damage. If you are dealing with mysql queries that insert or delete things you should generally use POST, if you are only retrieving information to be displayed GET might be aceptable to use.

[zq29]

Yes, register_globals should be switched off, for security reasons over anything else - check the manual for more information on that. As far as I understand, what register_globals actually does, it registers global variables. So, once you create them they are available throughout your PHP pages. For example, on page one we define the variable '$name' and assign the value 'Kris', then on page two we can just echo $name and it will print 'Kris' to the screen, this is without passing it via get, post, cookie or session. Please, anyone, correct me if I have misunderstood register_globals.

[extrovertive]

Turning off register globals allows you to manually filter out data that are from the client. That way, you know what variables are ones you declared and ones which are retrieve from your visitor - for filtering, validation, and security reasons.

[Jenk]

[quote author=SemiApocalyptic link=topic=107879.msg433253#msg433253 date=1158131109]
Yes, register_globals should be switched off, for security reasons over anything else - check the manual for more information on that. As far as I understand, what register_globals actually does, it registers global variables. So, once you create them they are available throughout your PHP pages. For example, on page one we define the variable '$name' and assign the value 'Kris', then on page two we can just echo $name and it will print 'Kris' to the screen, this is without passing it via get, post, cookie or session. Please, anyone, correct me if I have misunderstood register_globals.
[/quote]Not quite correct, it doesn't register session variables for you (your example with $name will not work with register_globals alone.)

All register globals does is define each index of $_REQUEST, $_SESSION and $_SERVER as a standalone variable in the global namespace.

[zq29]

Thanks for clearing that up Jenk :)

[kobel4k3r5]

Does register_globals catches $_POSTS?

example: i have a login form

username: [            ]
password: [            ]

[submit] [reset]

and the user and pass is sent as $_POST['username'] and $_POST['password']. would users be able to login by just submitting those values within the URL?

[Jenk]

In a round about way, yes.