NYCPHP Meetup

NYPHP.org

[nycphp-talk] Global settings in PHP

Hans Zaunere hans at nyphp.org
Wed May 7 17:29:43 EDT 2003 

Hi Anthony,

--- Anthony Tanzola <anthony at emr.net> wrote:
> Hey List!
> 
> I am somewhat new to php, though not to web development.  I am attempting
> to
> send information from a web form to a php document.  I then want to create
> session variables and have the ability to manipulate the session variables
> as needed.
> 
> The book I have use examples throughout that require the following setting
> in the php.ini file:
> 
> register_globals = On

Hark!  Burn that book!

Seriously though, I would not use that book to learn from.  register_globals
= On is a curse from the early days of PHP and needs to be eliminated, for
several reasons.

1) Security - a user can override variables in your script and cause absolute
havoc very easily.

2) Style - As I've said, register_globals has probably been the one setting
that has hurt PHP's reputation as an 'Enterprise Solution.'  Granted, I don't
know what that means either, but it's not good programming style to use it.

3) Compatibility - Modern version of PHP (since about 4.2.x I think) default
to register_globals = Off.  As such, your scripts won't work with modern
servers and any convienence you've found in using it now will be dwarfed by
future dealings with your server administrator, other developers, users and
the public in general.

4) People will laugh at you!

Sorry to be so harsh, but I feel very strongly about this one  :)

> This elevates the need for $_POST["my_posted_data"] when retrieving posted
> data.

Absolutely, and the superglobals (ie $_POST, $_GET) make it a breeze.  Just a
tip, though, unless there's a dollar sign (variable) inside the braces, use
single quotes.  $_POST['my_posted_data'] is much faster.

> Also it allows me to register session variables as such:
> 
> session_register("variable_1", "variable_2", "variable_3", "variable_4",
> "variable_5", "variable_6")
> 
> as well as do other things with sessions.
> 
> I am wondering what the pros and cons are of setting globals to "on".  It
> seams to be a convenience, but are there any downsides or security issues?

Yeah, basically all cons.  The only pro could be considered short-term
convenience, but as I mentioned, you'll end up paying for it.

H

More information about the talk mailing list