Register Global - in search of a replacement

[MCrosbie]

Hi all.

My server emailed me today telling me the following:
" Currently PHP Register Globals is set to ON across our entire network of servers and will be changed to OFF. "

I don't exactly know what this means. I use alot of address bar variables via $_GET e.g. the id of a page will dictate it's content mypage.php?id=100923 the id of the page would be 100923. Would this still work? I really have no idea what affect this will have and my server are not being cooperative with their responses.

How would one drop the need for Register Globals to be set as ON?

Thanks for your help!

Michael

[steveclondon]

yes if you use $_GET or $_POST or $_REQUEST it will all still work.

[Ninjakreborn]

if you want to make your pages safe, putting variable code near the top of each page fixes all problems.
For instance if a form is getting submitted, go to the page that it is getting submitted to, and prepare them all
Like they should be done anyway

$variable1 = $_GET['variable1']
$variable2= $_GET['variable2']
if your not sure whether they are coming from get or post, or your not That good at php yet, to know which is which, then for each variable put
if ($_GET['variablename']) {
$variablename = $_GET['variablename'];
}elseif ($_POST['variablename']) {
$variablename = $_POST['variablename'];
}
and do that for each variable it'll solve most of your register global problems.

[trq]

You also need to check they exist before you try to use them.

[code=php:0]
$variable1 = $_GET['variable1']
[/code]

Will produce a warning if $_GET['variable1'] does not exist. Use...

[code=php:0]
$variable1 = ($_GET['variable1']) ? $_GET['variable1'] : "";
[/code]

to be safe.

[Ninjakreborn]

$variable1 = ($_GET['variable1']) ? $_GET['variable1'] : "";

WHat does that mean?

[trq]

Its the same as...

[code=php:0]
if ($_GET['variable1']) {
  $variable = $_GET['variable1'];
} else {
  $variable = "";
}
[/code]

[wildteen88]

You should use isset. Dont use GET/POST on its own when checking whether they exist or not:
[code=php:0]$variable1 = (isset($_GET['variable1']) && !empty($_GET['variable1'])) ? $_GET['variable1'] : "";[/code]

[obsidian]

you could go one step further and just auto assign all the $_GET and $_POST variables for the pages that assume register_globals to be on:
[code]
<?php
foreach ($_REQUEST as $key => $val) $$key = $val;
?>
[/code]

[.josh]

hi. yes, as lots of others have mentioned, using $_GET/$_POST (and properly checking for them) is what you must do. but i think people kind of skipped to step C and forgot about point B.

since your register_globals is set to ON, when you pass a variable through your addressbar like

[b]index.php?id=123 [/b]

you can access it by simply doing something like this:

[b]echo $id;[/b]

well when they turn register_globals OFF, you can no longer do that. when you pass a variable through the address bar like above, you now have to access it like this:

[b]echo $_GET['id'];[/b]

same thing with posted variables from forms.  with register_globals set to ON, when you had a form and had a text input tag called name='blah' and you click submit, you can then access in your processing script by simply using $blah.  Well now you have to use $_POST['blah'] or $_GET['blah'] depending on your form's method. 

$_POST and $_GET are arrays.  treat them like arrays, because that's what they are.  They are arrays of your variables passed to your next script from forms or address bars or whatever, and each array element 's name is the name of your variable.

$_POST['variablename']

from here, you can then go back to the previous posts as far as checking to make sure they exist/are legit/convert them back to regular $variablename for your coding pleasure. 

[wildteen88]

Hay C-V MCrosbie was already doing that. MCrosbie used $_GET to access the variables from the url as said in the first post of the thread by the OP. Thats why every skipped step B :D

[MCrosbie]

Wow. You guys outdid yourselves. So, as long as I use $_GET,$_POST, $_REQUEST and define where the variable is coming from everything will work? And also this verification of all the variables, is there a way you can do this by not adding extra code for each $_GET, $_POST, $_REQUEST you have in your code? Is this what obsidians code was trying to achieve?

[obsidian]

yes, what my code is doing is pulling all the variables from the $_REQUEST array (which contains both $_GET and $_POST variables inside it), and it is creating individual variables for each on of the elements in that array.

[kenrbnsn]

There's also the [url=http://www.php.net/extract]extract()[/url] function, which does the same thing as obsidian's loop. It cam do more, so read the manual page.

[code]<?php
if (!empty($_POST)) extract($_POST);
if (!empty($_GET)) extract($_GET);
?>[/code]

But, I would get used to using the explicit $_POST and/or $_GET refereneces (as well as $_SESSION). It make life a lot easier when you come back to code after havning not seen it for a few months.

Of course after validating the user input, you would probably not use $_GET['xxx'] or $_POST['xxx'], but a reference to the validation array you've filled.

Ken