Jump to content

unsetting all globals - isn't all form data unavailable?

scanreg

By scanreg
in PHP Coding Help

 Share

Recommended Posts

scanreg Member

scanreg

Posted
Posted

i'm trying to understand unsetting all globals in form data but still having the desired form data available

 

i've read the following several times but i'm stuck:

 

http://php.net/manual/en/security.globals.php

 

how can you first unset all GLOBALS, _REQUEST, _POST, _GET, _SESSION, and the others, but still be able to retrieve the correct form fields and other needed data?

 

for example (taken from page above), if you run the following:

 

<?php

// Unregister_globals: unsets all global variables set from a superglobal array
// --------------------
// This is useful if you don't know the configuration of PHP on the server the application
// will be run
// Place this in the first lines of all of your scripts
// Don't forget that the register_global of $_SESSION is done after session_start() so after
// each session_start() put a unregister_globals('_SESSION');

function unregister_globals()
{
    if (!ini_get('register_globals'))
    {
        return false;
    }

    foreach (func_get_args() as $name)
    {
        foreach ($GLOBALS[$name] as $key=>$value)
        {
            if (isset($GLOBALS[$key]))
                unset($GLOBALS[$key]);
        }
    }
}

unregister_globals('_POST', '_GET', '_COOKIE', '_REQUEST', '_SERVER', '_ENV', '_FILES');

?>

 

haven't you just killed all incoming data, good or bad?

 

how do you then retrieve the desired good-guy fields if you've just zapped all the form stuff?

 

thanks :)

scanreg Member

scanreg

Posted
  • Author
Posted

yes, i am aware of this and is done but just trying to understand the protection against register_globals

 

am i correct in thinking that in the case of the function above, if register_globals is on that all incoming data would definitely be killed?

 

in other words, if register_globals is on and the function above is run that there would not be any form or other data available, it would all be unset and unretrievable?

 

thanks

scootstah Member

scootstah

Posted
Posted

in other words, if register_globals is on and the function above is run that there would not be any form or other data available, it would all be unset and unretrievable?

 

No. The function doesn't unset $_POST, $_GET, etc - it unsets $GLOBALS variables which share keys with those superglobal arrays.

scanreg Member

scanreg

Posted
  • Author
Posted

No. The function doesn't unset $_POST, $_GET, etc - it unsets $GLOBALS variables which share keys with those superglobal arrays.

 

ah, so unsetting all the $GLOBALS versions of those keys is what is done, but leaves all the superglobals to contain the keys

 

what is the advantage, then (if i'm correct), of still having all those same keys in their respective superglobals (but now filtered out of $GLOBALS)?

 

i know generally that it's good to not allow register_globals so that you don't get stuff like input name=authenticated value=1, but beyond that, what am i missing? why is it good to unset all $GLOBALS but still allow all the superglobal versions of those same keys?

 

thanks

scootstah Member

scootstah

Posted
Posted

Honestly, I'm not really sure the purpose of that function. I've never worked in an environment where register_globals was a problem, so I've never had to deal with it.

 

What you mostly need to be aware of is initializing your variables before using them, so that it is not possible to inject them.

 

Really though there is little reason to have to bother with register_globals nowadays. They have to be explicitly turned on, and I'm not sure why anyone would do that. In PHP 5.4.0 register_globals is removed altogether.

scanreg Member

scanreg

Posted
  • Author
Posted

Honestly, I'm not really sure the purpose of that function. I've never worked in an environment where register_globals was a problem, so I've never had to deal with it.

 

What you mostly need to be aware of is initializing your variables before using them, so that it is not possible to inject them.

 

Really though there is little reason to have to bother with register_globals nowadays. They have to be explicitly turned on, and I'm not sure why anyone would do that. In PHP 5.4.0 register_globals is removed altogether.

 

i understand, it is off too

 

i'm just trying to understand in my pea brain the difference between $GLOBALS and superglobals

 

is it, for instance, that superglobals work whether or not register_globals is enabled (so you have to name a variable to use it), but $GLOBALS only works if register_globals is on (thus allowing anything to be registered as a variable)?

 

sorry for making a mountain out of what i'm sure is a simple thing but i've been reading and reading but sadly haven't figured out yet the distinction between $GLOBALS and superglobals, that's kinda what i'm trying to clear up i guess

 

thanks

scootstah Member

scootstah

Posted
Posted
but $GLOBALS only works if register_globals is on (thus allowing anything to be registered as a variable)?

 

No, $GLOBALS is a big array which holds all the other superglobal arrays, plus anything else you want to be global.

 

Go ahead and run this code: echo '<pre>' . print_r($GLOBALS, true) . '</pre>'; after submitting a form, using a cookie, using querystrings, etc.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.