Jump to content

$HTTP_REFER, $PHP_SELF, $QUERY_STRING

darkwolf

By darkwolf
in PHP Coding Help

Recommended Posts

saf Newbie

saf

Posted
Posted

Previous versions of PHP (older than v5) had registar_globals turned on in the php.ini file, but since php5 they are disabled by default and the word is out that starting php6, php will no longer support registar_globals.

 

If you don't know what registar_globals are, here is my take on it:

If registar_globals is turned on php creates (registers) a variable for everything in the globals array ($_POST,$_GET,$_SERVER...). Basically, if you have something like $_POST['myFile'] php will create a $myFile variable for you that holds the same value as $_POST['myFile'] (Same goes for $_SERVER['php_self'] and the others that you mentioned).

 

Now the reason for php to remove/disable registar_globals:

Lets say that I check my login using the variable $isLoggedIn. The variable is set to 1 when I enter the corrrect username and password and set to 0 if I don't enter the correct username and password. This variable is then used to determine what I can access (e.g. if($isLoggedIn==1){//Do something} else {//Go back to login page}). Now if registar_globals is turned on and I am aware that the code uses the $isLoggedIn variable to manage access, I don't need to have the specific username and password to login. Instead I can just call the variable in the url and have it established (e.g. http://mysite.com/login.php?isLoggedIn=1). Now I have access to everything without logging in.

 

 

Note: there are ways to prevent people from "hacking" into your website even when registar_globals are turned on, but it requires more work.

 

 

Let me know if you need more explanation,

Saf

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.