Confused about mimicing register_globals On and destroying all globals

[scanreg]

In the following code,

 

// Register Globals
if (ini_get('register_globals')) {
   ini_set('session.use_cookies', 'On');
   ini_set('session.use_trans_sid', 'Off');
      
   session_set_cookie_params(0, '/');
   session_start();
   
   $globals = array($_REQUEST, $_SESSION, $_SERVER, $_FILES);

   foreach ($globals as $global) {
      foreach(array_keys($global) as $key) {
         unset($$key);
      }
   }
}

 

the above destroys all globals if register_globals is on, as I understand it.

 

However, if it does destroy all globals, can a web form continue to work?

 

How do you allow form fields and other stuff to be used in a script even if you kill all the globals up front?

 

Many thanks

[PFMaBiSmAd]

If register_globals are on, the posted code unsets any program (global) variables that match any of the $_REQUEST, $_SESSION, $_SERVER, $_FILES key names.

 

While that does have the affect of preventing a hacker from setting your program variables, it would also prevent your code from working correctly if there are any external variables with the same name as your program variables at the point in your code where you run the posted logic.

 

You access form variables using the correct $_GET or $_POST variable name ($_REQUEST should not be used because it is about as insecure as having register_globals on.)

 

 

[scanreg]

Ah, I think I get it, even though you have unset $_REQUEST, $_SESSION, $_SERVER, $_FILES --- $_GET and $_POST should still work

 

But all the session stuff is dead too, right?

So, with the above code you could never use sessions (?)

 

Thanks

[AbraCadaver]

$_SESSION is not part of the register_globals, only Environment, GET, POST, Cookie, Server.  If there is a $_GET['somevar'] then register globals would extract this into the global scope and you would have $somevar.  The code you posted would unset $somevar but $_GET['somevar'] is still available.

 

This would be easier:

 

// $_REQUEST = GET, POST, COOKIE / $_FILES is a POST operation
$globals = array_keys(array_merge($_REQUEST, $_FILES, $_SERVER, $_ENV));

foreach ($globals as $key) {
   unset($$key);
}

[PFMaBiSmAd]

$_SESSION iS part of register_globals, that's why so many scripts were taken over. Hackers set the session variables saying they were logged in as the administrator to scripts, simply by putting same name get parameters on the end of URLs.

 

Register_globals were turned off by default over 8 years ago and since the code you are writting should not be using register_globals methods and/or you should not still be using any old code that is dependent on register_globals, there's no point in the code you have shown in this thread. It does not belong in any current script.

[scanreg]

$_SESSION iS part of register_globals

 

Thought so, too

 

Thanks

[AbraCadaver]

Yeah, my bad.  It's early and has been years since I had to worry about it.

 

// after session_start()
$globals = array_keys(array_merge($_SESSION, $_REQUEST, $_FILES, $_SERVER, $_ENV));

 

So, if there is a $_SESSION['somevar'] then register globals would extract this into the global scope and you would have $somevar.  The code you posted would unset $somevar but $_SESSION['somevar'] is still available.