Getting rid of imported variables

Re: Getting rid of imported variables


"Thomas Mlynarczyk" <blue_elephant5 5@hotmail.com> wrote in message
news:ccb817$535 $00$1@news.t-online.com...[color=blue]
> Hello,
>
> My provider has set register_global s = On and I can't change the php.ini
> file. Is there a way to unset all the imported get/post etc. variables at
> the beginning of my script?[/color]

You have two possible solutions:-

a) Use an .htaccess file to turn register_global s OFF for your website.
b) Use ini_set at the start of the script to turn register_global s off for
that script.

HTH

--
Tony Marston

Re: Getting rid of imported variables

Also sprach Tony Marston:
[color=blue]
> a) Use an .htaccess file to turn register_global s OFF for your
> website.[/color]

Sounds like the perfect solution. Which syntax must I use?
[color=blue]
> b) Use ini_set at the start of the script to turn
> register_global s off for that script.[/color]

And it will work? I mean, when ini_set gets executed, isn't it already too
late?

Thanks for your help!
Greetings,
Thomas

Re: Getting rid of imported variables

Also sprach Thomas Mlynarczyk:

[color=blue][color=green]
>> a) Use an .htaccess file to turn register_global s OFF for your
>> website.[/color]
>
> Sounds like the perfect solution. Which syntax must I use?[/color]

Erm - does it still work if PHP is running as CGI, not as an Apache module?

Re: Getting rid of imported variables


"Thomas Mlynarczyk" <blue_elephant5 5@hotmail.com> wrote in message
news:ccbp4n$t86 $02$1@news.t-online.com...[color=blue]
> Also sprach Tony Marston:
>[color=green]
> > a) Use an .htaccess file to turn register_global s OFF for your
> > website.[/color]
>
> Sounds like the perfect solution. Which syntax must I use?[/color]

php_value register_global s 0
[color=blue][color=green]
> > b) Use ini_set at the start of the script to turn
> > register_global s off for that script.[/color]
>
> And it will work? I mean, when ini_set gets executed, isn't it already too
> late?[/color]

If it didn't work that way then why would it be in the manual? Try it and
see.

--
Tony Marston

Re: Getting rid of imported variables


"Thomas Mlynarczyk" <blue_elephant5 5@hotmail.com> wrote in message
news:ccbp8f$teb $02$1@news.t-online.com...[color=blue]
> Also sprach Thomas Mlynarczyk:
>
>[color=green][color=darkred]
> >> a) Use an .htaccess file to turn register_global s OFF for your
> >> website.[/color]
> >
> > Sounds like the perfect solution. Which syntax must I use?[/color]
>
> Erm - does it still work if PHP is running as CGI, not as an Apache[/color]
module?

Who on earth still runs PHP as CGI when the Apache module is so much faster?
The documentation does not identify any difference, so just suck it and see.

--
Tony Marston

Re: Getting rid of imported variables

Also sprach Tony Marston:
[color=blue][color=green][color=darkred]
>>> b) Use ini_set at the start of the script to turn
>>> register_global s off for that script.[/color]
>>
>> And it will work? I mean, when ini_set gets executed, isn't it
>> already too late?[/color]
>
> If it didn't work that way then why would it be in the manual? Try it
> and see.[/color]

So I did. Didn't work. I guess this particular setting cannot be done this
way. :-(

Re: Getting rid of imported variables


"Tony Marston" <tony@NOSPAM.de mon.co.uk> wrote in message
news:ccc154$l90 $1$830fa7a5@new s.demon.co.uk.. .[color=blue]
>
> "Thomas Mlynarczyk" <blue_elephant5 5@hotmail.com> wrote in message
> news:ccbp4n$t86 $02$1@news.t-online.com...[color=green]
> > Also sprach Tony Marston:
> >[color=darkred]
> > > a) Use an .htaccess file to turn register_global s OFF for your
> > > website.[/color]
> >
> > Sounds like the perfect solution. Which syntax must I use?[/color]
>
> php_value register_global s 0
>[color=green][color=darkred]
> > > b) Use ini_set at the start of the script to turn
> > > register_global s off for that script.[/color]
> >
> > And it will work? I mean, when ini_set gets executed, isn't it already[/color][/color]
too[color=blue][color=green]
> > late?[/color]
>
> If it didn't work that way then why would it be in the manual? Try it and
> see.[/color]

The manual says your can only change register_global s in the system or or
per-dir config.

Re: Getting rid of imported variables

Also sprach Tony Marston:
[color=blue]
> Who on earth still runs PHP as CGI when the Apache module is so much
> faster?[/color]

www.1und1.de. Security issues? Or because a change might have negative side
effects for existing scripts?
[color=blue]
> The documentation does not identify any difference, so just
> suck it and see.[/color]

My documentation says "Apache module", so I guess it's not for CGI...

Re: Getting rid of imported variables


"Thomas Mlynarczyk" <blue_elephant5 5@hotmail.com> wrote in message
news:ccccbv$kfn $06$1@news.t-online.com...[color=blue]
> Also sprach Tony Marston:
>[color=green]
> > Who on earth still runs PHP as CGI when the Apache module is so much
> > faster?[/color]
>
> www.1und1.de. Security issues? Or because a change might have negative[/color]
side[color=blue]
> effects for existing scripts?[/color]

What security issues? What makes you think that a PHP script run as CGI
would run differently as an Apache module? Surely a PHP script produces the
same results whichever mode it is run in?


--
Tony Marston




[color=blue][color=green]
> > The documentation does not identify any difference, so just
> > suck it and see.[/color]
>
> My documentation says "Apache module", so I guess it's not for CGI...
>
>
>[/color]

Re: Getting rid of imported variables


"Thomas Mlynarczyk" <blue_elephant5 5@hotmail.com> wrote in message
news:cccb8r$qth $01$1@news.t-online.com...[color=blue]
> Also sprach Tony Marston:
>[color=green][color=darkred]
> >>> b) Use ini_set at the start of the script to turn
> >>> register_global s off for that script.
> >>
> >> And it will work? I mean, when ini_set gets executed, isn't it
> >> already too late?[/color]
> >
> > If it didn't work that way then why would it be in the manual? Try it
> > and see.[/color]
>
> So I did. Didn't work. I guess this particular setting cannot be done this
> way. :-([/color]

If you cannot use one of the available options then I guess you are stuffed.
As a last resort change to a professional web hosting company, one that does
not restrict your options to such a degree.

--
Tony Marston

Re: Getting rid of imported variables


"Chung Leong" <chernyshevsky@ hotmail.com> wrote in message
news:3o-dnV4DzvrRLnTdRV n-gg@comcast.com. ..[color=blue]
>
> "Tony Marston" <tony@NOSPAM.de mon.co.uk> wrote in message
> news:ccc154$l90 $1$830fa7a5@new s.demon.co.uk.. .[color=green]
> >
> > "Thomas Mlynarczyk" <blue_elephant5 5@hotmail.com> wrote in message
> > news:ccbp4n$t86 $02$1@news.t-online.com...[color=darkred]
> > > Also sprach Tony Marston:
> > >
> > > > a) Use an .htaccess file to turn register_global s OFF for your
> > > > website.
> > >
> > > Sounds like the perfect solution. Which syntax must I use?[/color]
> >
> > php_value register_global s 0
> >[color=darkred]
> > > > b) Use ini_set at the start of the script to turn
> > > > register_global s off for that script.
> > >
> > > And it will work? I mean, when ini_set gets executed, isn't it already[/color][/color]
> too[color=green][color=darkred]
> > > late?[/color]
> >
> > If it didn't work that way then why would it be in the manual? Try it[/color][/color]
and[color=blue][color=green]
> > see.[/color]
>
> The manual says your can only change register_global s in the system or or
> per-dir config.[/color]

Well, one of them should work.

--
Tony Marston

Re: Getting rid of imported variables

On Mon, 5 Jul 2004 22:16:11 +0100, "Tony Marston" <tony@NOSPAM.de mon.co.uk>
wrote:
[color=blue]
>"Thomas Mlynarczyk" <blue_elephant5 5@hotmail.com> wrote in message
>news:ccccbv$kf n$06$1@news.t-online.com...[color=green]
>> Also sprach Tony Marston:
>>[color=darkred]
>>> Who on earth still runs PHP as CGI when the Apache module is so much
>>> faster?[/color]
>>
>> www.1und1.de. Security issues? Or because a change might have negative
>>side effects for existing scripts?[/color]
>
>What security issues? What makes you think that a PHP script run as CGI
>would run differently as an Apache module? Surely a PHP script produces the
>same results whichever mode it is run in?[/color]

More flexibility as to what user it runs as under CGI? Also resource usage
will be different for CGI; increased overhead for startup/shutdown, but it
doesn't stay loaded in memory like an Apache module. Conceivably this could be
appropriate for a site that rarely uses PHP.

Running as a module is probably the right choice _most_ of the time.

--
Andy Hassall <andy@andyh.co. uk> / Space: disk usage analysis tool
http://www.andyh.co.uk / http://www.andyhsoftware.co.uk/space

Re: Getting rid of imported variables

Thomas Mlynarczyk wrote:
[color=blue]
> Hello,
>
> My provider has set register_global s = On and I can't change the php.ini
> file. Is there a way to unset all the imported get/post etc. variables at
> the beginning of my script?
>
> Thomas[/color]

I found this script on www.php.net that does just what you are looking for. I
don't remember where on php.net I found it but it is pretty handy just incase
register globals is on.

--- Beginning of unregistergloba ls.php ---
<?php
// clean out any globals registered by register_global s being on.

// assume it's on by default. there was no option to disable
// register_global s in PHP3.
$register_globa ls = true;

// ini_get is only in PHP4+
if(function_exi sts('ini_get'))
{
// We have PHP4, let's find out if register_global s is
// enabled.
$register_globa ls = ini_get('regist er_globals');
}

if($register_gl obals)
{
// Variables to be protected; may
// add automatic detection in the
// future, but probably not worth
// bothering. Just don't set any
// variables (constants are fine)
// above this point.
$protect_vars = array(
'HTTP_ENV_VARS' ,
'HTTP_GET_VARS' ,
'HTTP_POST_VARS ',
'HTTP_COOKIE_VA RS',
'HTTP_POST_FILE S',
'HTTP_SERVER_VA RS',
'HTTP_SESSION_V ARS',
'_ENV',
'_GET',
'_POST',
'_COOKIE',
'_FILES',
'_SERVER',
'_SESSION',
'GLOBALS',
'input_arrays',
'input_array',
'protect_vars'
);

// Arrays to loop through for input.
// Remember, case sensitive.
// By default these are just the arrays
// register_global s pulls from.
$input_arrays = array(
'HTTP_ENV_VARS' ,
'HTTP_GET_VARS' ,
'HTTP_POST_VARS ',
'HTTP_COOKIE_VA RS',
'HTTP_POST_FILE S',
'HTTP_SERVER_VA RS',
'HTTP_SESSION_V ARS'
);
// Just get the values of each item in $input_arrays;
// they are the names of the input arrays.
while(list(,$in put_array) = each($input_arr ays))
{
// Just get the key names of each item in the input
// array; they are the names of the possible variables.
while(list($key ,) = @each(${$input_ array}))
{
// Variable names are case sensitive (in PHP 5
// at least)..but we don't want people having
// variables that get unset just because they
// were capitalised wrong in $protect_vars.
for($i = 0; $i < count($protect_ vars); $i++)
{
if(strtolower($ protect_vars[$i]) == strtolower($key ))
{
continue 2;
}
}

unset(${$key});
}
@reset(${input_ array});
}
unset($register _globals, $protect_vars, $input_arrays, $input_array, $key,
$i);
}

?>
--- Ending of unregistergloba ls.php ---

Re: Getting rid of imported variables

Also sprach Tony Marston:
[color=blue]
> If you cannot use one of the available options then I guess you are
> stuffed. As a last resort change to a professional web hosting
> company, one that does not restrict your options to such a degree.[/color]

It *is* a professional web hosting company! If I payed more I could have any
options I want. Anyway, I am changing my script so the imported variables
will no longer disturb me. I was wondering if it was possible to detect if
$variable was set by the script or imported? The problem is, if
$_GET['variable'] is set, how can I detect if it was overwritten by being
set explicitly in the script? (it's an include file and there I cannot know
what code might have been run before the file was included). Or could I
somehow mess with $GLOBALS to unset everything unwanted?