NYCPHP Meetup

NYPHP.org

[nycphp-talk] Global settings in PHP

gadhra bfeqx44002 at sneakemail.com
Wed May 7 15:45:49 EDT 2003 

Hi Anthony,

Though convenient, global vars are more or less a no-no; security is the 
major reason.
If you have code that's something like:
    if (check_login($session)) {
        $logged_in = 1;
    }
I could simply set a url like page.php?logged_in=1 and have it override 
your check.

There are usually 3 solutions to this:  initialize all your variables 
(and set error_reporting to E_ALL to be sure), turn off the ability of 
GET, POST, and cookie values to create variables, or disable 
register_globals.

The big one for me, however, is that register_globals defaults to Off in 
php as of 4.2 which means that, if you rely on them, your code will not 
be portable to other servers who have a different configurations (and 
might not be willing to bend on modifying php.ini for the reasons stated 
above).

+gadhra+



Anthony Tanzola anthony-at-emr.net |NY PHP| wrote:

>Hey List!
>
>I am somewhat new to php, though not to web development.  I am attempting to
>send information from a web form to a php document.  I then want to create
>session variables and have the ability to manipulate the session variables
>as needed.
>
>The book I have use examples throughout that require the following setting
>in the php.ini file:
>
>register_globals = On
>
>This elevates the need for $_POST["my_posted_data"] when retrieving posted
>data.
>
>Also it allows me to register session variables as such:
>
>session_register("variable_1", "variable_2", "variable_3", "variable_4",
>"variable_5", "variable_6")
>
>as well as do other things with sessions.
>
>I am wondering what the pros and cons are of setting globals to "on".  It
>seams to be a convenience, but are there any downsides or security issues?
>
>Any input would be greatly appreciated.
>
>Thanks,
>
>Anthony Tanzola
>EMR Data Services
>Phone: 623.581.2875
>Fax: 623.582.5499
>anthony at emr.net
>
>
>                   EMR Internet
>           A Serious Internet Experience
>
>
>**  56K Dial-up   **    DSL   **  Web-hosting  **
>**  Co-location   **    T1s   **     ISDN      **
>**  High-Speed Fiber Backbone ** Linux powered **
>**  Support for all Windows & Linux platforms  **
>**   Custom Web Design  **   Site Development  **
>**  Search Engine Placement & Web Consultation **
>****      Visit us at http://www.emr.net!    ****
>
>
>Ask about our reseller programs!
>
>
>
>--- Unsubscribe at http://nyphp.org/list/ ---
>
>
>
>
>
>  
>

-- 
+gadhra+(/s)
*********************
XXXXXXXXXXXXXXXXX
And seize the metropolis;
It's you it's built on

More information about the talk mailing list