Am I just registering globals here?

Collapse
This topic is closed.
X
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • Matthew Crouch
    #1

    Am I just registering globals here?

    I have a bunch of old sites I need to change to account for the new default
    value register_global s=Off

    The quickest way was to put this in my header file:
    foreach ($HTTP_POST_VAR S as $header=> $value ){

    $$header = $value;

    }


    Did I just negate the value of the new default value? I'm trying to strike a
    balance so that I don't have to go through dozens of pages, finding all the
    unitialized variables, and still obtain some of the added security.

    All comments are appreciated. Still reading up on this parameter. thanks


    Tags: None
    • André Næss
      #2
      Re: Am I just registering globals here?

      Matthew Crouch:
      [color=blue]
      > I have a bunch of old sites I need to change to account for the new
      > default value register_global s=Off
      >
      > The quickest way was to put this in my header file:
      > foreach ($HTTP_POST_VAR S as $header=> $value ){
      >
      > $$header = $value;
      >
      > }[/color]

      That's a workaround, an even simpler solution would be:
      extract($HTTP_P OST_VARS);
      extract($HTTP_G ET_VARS);
      [color=blue]
      > Did I just negate the value of the new default value?[/color]

      Yes.
      [color=blue]
      > I'm trying to strike
      > a balance so that I don't have to go through dozens of pages, finding all
      > the unitialized variables, and still obtain some of the added security.[/color]

      The only danger is the use of uninitialized variables, so the only way you
      can fix the security problem is by initializing the variables.

      If you always initialize your variables, there is no difference in the level
      of security between register globals on and off.

      André Næss



        Comment

        • Justin Koivisto
          #3
          Re: Am I just registering globals here?

          André Næss wrote:
          [color=blue]
          > Matthew Crouch:
          >[color=green]
          >>I have a bunch of old sites I need to change to account for the new
          >>default value register_global s=Off
          >>
          >>The quickest way was to put this in my header file:
          >>foreach ($HTTP_POST_VAR S as $header=> $value ){
          >>
          >>$$header = $value;
          >>
          >>}[/color]
          >
          > That's a workaround, an even simpler solution would be:
          > extract($HTTP_P OST_VARS);
          > extract($HTTP_G ET_VARS);
          >[color=green]
          >>Did I just negate the value of the new default value?[/color]
          >
          > Yes.
          >[color=green]
          >>I'm trying to strike
          >>a balance so that I don't have to go through dozens of pages, finding all
          >>the unitialized variables, and still obtain some of the added security.[/color]
          >
          > The only danger is the use of uninitialized variables, so the only way you
          > can fix the security problem is by initializing the variables.[/color]

          This may be an interesting read to you as well:
          404 Not Found
          http://www.koivi.com/manual-php-globals/

          [color=blue]
          > If you always initialize your variables, there is no difference in the level
          > of security between register globals on and off.[/color]

          That's true, if you *never* *trust* *user* *input* you're good to go.

          --
          Justin Koivisto - spam@koivi.com
          PHP POSTERS: Please use comp.lang.php for PHP related questions,
          alt.php* groups are not recommended.

            Comment

            Previous template Next
            Working...