Jump to content

register_globals


kobel4k3r5

Recommended Posts

Hi, I'm new here but anyways, I need some help. I'm not sure how register_globals work exactly.

If I'm correct, when register_globals is on, passing a variable in the URL will default it to that example:

http://www.mywebsite.com/?id=4 will make the $id set to 4. But does can users input $_POST variables or $_SESSION variables through the URL also? Because I have a website that is like http://www.mywebsite.com/profile.php?id=65 and changing the id to another number goes to their profile.php page, and if they would do the same just for the login page, would $_POST datas be catched? like...

http://www.mywebsite.com/login.php?username=billy&password=bob
Link to comment
Share on other sites

I recommend register_globals=off,  use sessions and by default it will use cookies or if need be, a URL with the SID in it but basically it is much more secure than having the username/password sent over the URL in plain text. I recommend avoiding that at all costs. The difference between the two types of variable retrieval is that POST does not go over the URL wheras GET does. Generally it is more widely used for sensitive information. GET is good for things that aren't that important/can't cause that much damage. If you are dealing with mysql queries that insert or delete things you should generally use POST, if you are only retrieving information to be displayed GET might be aceptable to use.
Link to comment
Share on other sites

Yes, register_globals should be switched off, for security reasons over anything else - check the manual for more information on that. As far as I understand, what register_globals actually does, it registers global variables. So, once you create them they are available throughout your PHP pages. For example, on page one we define the variable '$name' and assign the value 'Kris', then on page two we can just echo $name and it will print 'Kris' to the screen, this is without passing it via get, post, cookie or session. Please, anyone, correct me if I have misunderstood register_globals.
Link to comment
Share on other sites

[quote author=SemiApocalyptic link=topic=107879.msg433253#msg433253 date=1158131109]
Yes, register_globals should be switched off, for security reasons over anything else - check the manual for more information on that. As far as I understand, what register_globals actually does, it registers global variables. So, once you create them they are available throughout your PHP pages. For example, on page one we define the variable '$name' and assign the value 'Kris', then on page two we can just echo $name and it will print 'Kris' to the screen, this is without passing it via get, post, cookie or session. Please, anyone, correct me if I have misunderstood register_globals.
[/quote]Not quite correct, it doesn't register session variables for you (your example with $name will not work with register_globals alone.)

All register globals does is define each index of $_REQUEST, $_SESSION and $_SERVER as a standalone variable in the global namespace.
Link to comment
Share on other sites

Does register_globals catches $_POSTS?

example: i have a login form

username: [            ]
password: [            ]

[submit] [reset]

and the user and pass is sent as $_POST['username'] and $_POST['password']. would users be able to login by just submitting those values within the URL?
Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.