scanreg Posted May 24, 2012 Share Posted May 24, 2012 i'm trying to understand unsetting all globals in form data but still having the desired form data available i've read the following several times but i'm stuck: http://php.net/manual/en/security.globals.php how can you first unset all GLOBALS, _REQUEST, _POST, _GET, _SESSION, and the others, but still be able to retrieve the correct form fields and other needed data? for example (taken from page above), if you run the following: <?php // Unregister_globals: unsets all global variables set from a superglobal array // -------------------- // This is useful if you don't know the configuration of PHP on the server the application // will be run // Place this in the first lines of all of your scripts // Don't forget that the register_global of $_SESSION is done after session_start() so after // each session_start() put a unregister_globals('_SESSION'); function unregister_globals() { if (!ini_get('register_globals')) { return false; } foreach (func_get_args() as $name) { foreach ($GLOBALS[$name] as $key=>$value) { if (isset($GLOBALS[$key])) unset($GLOBALS[$key]); } } } unregister_globals('_POST', '_GET', '_COOKIE', '_REQUEST', '_SERVER', '_ENV', '_FILES'); ?> haven't you just killed all incoming data, good or bad? how do you then retrieve the desired good-guy fields if you've just zapped all the form stuff? thanks Quote Link to comment Share on other sites More sharing options...
scootstah Posted May 24, 2012 Share Posted May 24, 2012 There is a much easier solution: turn off register_globals in the php.ini. Quote Link to comment Share on other sites More sharing options...
scanreg Posted May 24, 2012 Author Share Posted May 24, 2012 yes, i am aware of this and is done but just trying to understand the protection against register_globals am i correct in thinking that in the case of the function above, if register_globals is on that all incoming data would definitely be killed? in other words, if register_globals is on and the function above is run that there would not be any form or other data available, it would all be unset and unretrievable? thanks Quote Link to comment Share on other sites More sharing options...
scootstah Posted May 24, 2012 Share Posted May 24, 2012 in other words, if register_globals is on and the function above is run that there would not be any form or other data available, it would all be unset and unretrievable? No. The function doesn't unset $_POST, $_GET, etc - it unsets $GLOBALS variables which share keys with those superglobal arrays. Quote Link to comment Share on other sites More sharing options...
scanreg Posted May 24, 2012 Author Share Posted May 24, 2012 No. The function doesn't unset $_POST, $_GET, etc - it unsets $GLOBALS variables which share keys with those superglobal arrays. ah, so unsetting all the $GLOBALS versions of those keys is what is done, but leaves all the superglobals to contain the keys what is the advantage, then (if i'm correct), of still having all those same keys in their respective superglobals (but now filtered out of $GLOBALS)? i know generally that it's good to not allow register_globals so that you don't get stuff like input name=authenticated value=1, but beyond that, what am i missing? why is it good to unset all $GLOBALS but still allow all the superglobal versions of those same keys? thanks Quote Link to comment Share on other sites More sharing options...
scootstah Posted May 24, 2012 Share Posted May 24, 2012 Honestly, I'm not really sure the purpose of that function. I've never worked in an environment where register_globals was a problem, so I've never had to deal with it. What you mostly need to be aware of is initializing your variables before using them, so that it is not possible to inject them. Really though there is little reason to have to bother with register_globals nowadays. They have to be explicitly turned on, and I'm not sure why anyone would do that. In PHP 5.4.0 register_globals is removed altogether. Quote Link to comment Share on other sites More sharing options...
scanreg Posted May 24, 2012 Author Share Posted May 24, 2012 Honestly, I'm not really sure the purpose of that function. I've never worked in an environment where register_globals was a problem, so I've never had to deal with it. What you mostly need to be aware of is initializing your variables before using them, so that it is not possible to inject them. Really though there is little reason to have to bother with register_globals nowadays. They have to be explicitly turned on, and I'm not sure why anyone would do that. In PHP 5.4.0 register_globals is removed altogether. i understand, it is off too i'm just trying to understand in my pea brain the difference between $GLOBALS and superglobals is it, for instance, that superglobals work whether or not register_globals is enabled (so you have to name a variable to use it), but $GLOBALS only works if register_globals is on (thus allowing anything to be registered as a variable)? sorry for making a mountain out of what i'm sure is a simple thing but i've been reading and reading but sadly haven't figured out yet the distinction between $GLOBALS and superglobals, that's kinda what i'm trying to clear up i guess thanks Quote Link to comment Share on other sites More sharing options...
scootstah Posted May 24, 2012 Share Posted May 24, 2012 but $GLOBALS only works if register_globals is on (thus allowing anything to be registered as a variable)? No, $GLOBALS is a big array which holds all the other superglobal arrays, plus anything else you want to be global. Go ahead and run this code: echo '<pre>' . print_r($GLOBALS, true) . '</pre>'; after submitting a form, using a cookie, using querystrings, etc. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.