|
|
Posted by Michael Fesser on 01/14/08 19:38
..oO(Kurda Yon)
>> Anyway... This happens, when register_globals
>> (http://de.php.net/register_globals) is active (see first comment), which
>> is also a sure sign, that you should really change your hoster because of
>> incompetence.
>
>Will I be able to use global variables after I turn off the
>register_globals?
Sure. You just won't be able to directly access any posted or session
data just by using a variable anymore, you would have to use the arrays
$_GET, $_POST etc. instead.
>In my code I use the global variables extensively,
>and I would not like to rewrite everything. By the way, way it is so
>bad if the register_global is turned on? I do not see any problems in
>the effect that I have described in my first post.
If your scripts are not properly written with register_globals in mind
(and most scripts are not properly written like that), then it's very
easy to overwrite uninitialized internal variables simply by passing a
URL parameter for example:
if (userIsAuthenticated()) {
$login = TRUE;
}
if ($login) {
// do something "secure"
}
You can find a lot of scripts which are written as bad as this simple
example. This code would at least throw a notice on an unauthenticated
run, but E_NOTICE is disabled by default. Then with register_globals
enabled all it needs is <http://example.com/secure.php?login=1> to gain
access. It can get even worse if you use cookies and sessions - all
these data from all the different sources will be put into the global
namespace, overwriting each other in case of a name clash. Good luck
with finding out where the value of a variable actually came from ...
register_globals is BAD (broken as designed) and disabled by default for
good reasons. It will be completely removed in PHP 6. If your code still
relies on it, it's time to start rewriting it.
Micha
Navigation:
[Reply to this message]
|