How to remove register_globals dependency from my code?

**Atli** · Sep 27 '07, 01:34 AM

Hi Breana.

What you need to do is find all variables in your scripts that belong to one of the super-globals and exchange them for their respective element in the super-global arrays.

If that doesn't make sense (which is likely given my lack of sleep lately) perhaps this will make more sence:

Lets say that you are accepting a user-name and a password from a HTML form. If your code assumes that the register_global s constant is enabled, it may look like this:
[code=php]
<?php
if(isset($formS ubmit)) {
# Print the user
echo "<b>You sent this info!</b><br />"
echo "Username: $username<br />Password: $password";
}
?>
<form action="?" method="post">
<input type="text" name="username" /><br />
<input type="password" name="password" /><br />
<input type="submit" name="formSubmi t" />
</form>
[/code]

To free this code from it's dependency on register_global s, you could to this:
[code=php]
<?php
if(isset($_POST['formSubmit'])) {
$username = $_POST['username'];
$password = $_POST['password'];

# Print the user
echo "<b>You sent this info!</b><br />"
echo "Username: $username<br />Password: $password";
}
?>
<form action="?" method="post">
<input type="text" name="username" /><br />
<input type="password" name="password" /><br />
<input type="submit" name="formSubmi t" />
</form>
[/code]
I've skipped all validation, as this is just an example, but in a live code you should validate the user input before printing it!

**Breana** · Sep 27 '07, 02:16 PM

I am kind of lost, do i need to remove the session and "$_REQUEST['login']" too. I dont under stand this at all. I am trying to learn here but this is bizzar to me..

This is what i came up with hope i understood u :)
[PHP]<?
if(isset($_POST['formSubmit'])) {
$username = $_POST['username'];
$password = $_POST['password'];
$sql = "select * from users where login = '$login' and password = '" . sha1($password) . "'";
$result = mysql_query($sq l ,$db);
if ($myrow = mysql_fetch_arr ay($result)) {

do {

$uid = $myrow["userid"];
$uname = $myrow["login"];

} while ($myrow = mysql_fetch_arr ay($result));

$loggedin = true;
$upwd = $password;
echo 'session_regist er("loggedin")' ;

session_registe r("upwd");
session_registe r("uid");
session_registe r("uname");
//Print the user
echo "<p align='center'> <font size='2' face='Arial'><b r />
<b>Welcome back</b>, You will be redirected in <font color='#FF0000' >3</font> seconds!<br />
<br />
<img src='images/ajax_loading.gi f' alt='Loading' width='32' height='32' /><br />
<br />
Or <a href='index.php '>Click here</a> if you don't want to wait!</font></p>"
echo "Username: $username<br />Password: $password";
} else {
$loggedin = false;
$upwd = "";
$uid = "";
$uname = "";
echo "<img src='images/invalid.gif' width='402' height='107' /><br /><b><font color='#FF0000' >Sorry,</font></b> that ID or Password is not valid.<br /><br /><br />If you have forgotten your password <a href='forgot.ph p'>Reset Password</a>. <br />If you are a new user you will need to <a href='newuser.p hp'>Create A New Account!</a>";

}
?>[/PHP]

**Atli** · Sep 27 '07, 03:38 PM

That code looks fine. Shouldn't have any problems with register_global s disabled.

The register_global s constant, when enabled, basically does exactly what this code does:
[code=php]
# The order of this may vary
extract($_REQUE ST, EXTR_OVERWRITE) ;
extract($_SESSI ON, EXTR_OVERWRITE) ;
[/code]
This basically takes all elements from those arrays and imports them into the global scope, making them available as regular variables rather than array elements.

For example:
[code=php]
# If register_global s is enabled this:
echo $_POST['myFormInput'];

# can also be accessed like this:
echo $myFormInput;

# They are one and the same thing
[/code]
Which is a very bad thing, as PHP is creating extra variables in the global scope that have not been verified and may never even be used.
Not to mention that if an element in one of the super-global arrays has the same name as an element in one of the other super-globals, only one of them can be extracted as a variable, which can easily cause problems.

So, by disabling the register_global directive, PHP will no longer creating these extra variables in the global scope, which makes your code more secure as well as boosting performance.

**Atli** · Sep 27 '07, 04:07 PM

I've re-phrased the title of this thread to make it a little clearer.
Please do not use phrases like 'need help' in thread titles.
Check out the Posting guidelines for tips on how to create good thread titles.

Moderator

**Breana** · Sep 27 '07, 11:52 PM

Nope... it dont work.
Wont validate the user... keeps saying badlogin on a good id + pass

I am just going to search for a pre made cheatcode cms and use it.
If anyone here knows of a good free one im me please. :(

**Atli** · Sep 28 '07, 03:48 AM

Originally posted by Breana

Nope... it dont work.
Wont validate the user... keeps saying badlogin on a good id + pass

I am just going to search for a pre made cheatcode cms and use it.
If anyone here knows of a good free one im me please. :(

Sorry to hear that.
Before you give up on your script, did you echo the contents of the $_POST array? Was there any data?
This could be something simple as magic_quotes_gp c being enabled an adding extra quote marks to your variables.

How to remove register_globals dependency from my code?

How to remove register_globals dependency from my code?

Comment

Comment

Comment

Comment

Comment

Comment