php globals

**Jonathan** · 03-28-2004, 05:12 PM

I think Globals are on;
I try to avoid them, though, as they present huge security issues.

Note; exact security issues, unknown; just remember a friend telling me this.

**-Oz-** · 03-28-2004, 06:01 PM

It is on, the security issues involve people using urls to pass information to databases that could potentially damage your data.

**Thyme** · 03-28-2004, 09:16 PM

Just beacuse it's on doesn't mean you have to code them. Use the $_POST[], $_GET[], $_SESSION[], etc. assoc. arrays instead of globals and you shouldn't have any security problems even with the setting on.

**Buddha** · 03-29-2004, 05:28 AM

Originally posted by -Oz-

It is on, the security issues involve people using urls to pass information to databases that could potentially damage your data.

Oz, I think your confusing two seperate issues "Variable Substitution" and "SQL Injection Attacks."

To defeat variable substitution:

Always initialize your variables. This can be harder than it sounds if you have variables all over the place. So keep your variables organized.

Use GPC globals as Thyme suggested.

To defeat SQL injection attacks:

Validate user input. If a user input requires at max a ten digit number make sure that's what you get.

Check for nasty words like "SELECT" or "DELETE."

Learn to live with Magic_Quotes.

Limit user access. Your common user doesn't need "INSERT" rights to your pricing table.

Here's an article to get you started: http://www.zend.com/zend/art/art-oertli.php

**-Oz-** · 03-29-2004, 07:29 AM

Thanks for the info, I will definitely read that article.

**Denver Dave** · 07-26-2007, 11:26 AM

Looks like Register Globals is now set to off as of today. Is there a php command to over-ride this if necessary rather than dealing with each and every variable name?

**Elite** · 07-26-2007, 11:34 AM

Originally posted by Denver Dave

Looks like Register Globals is now set to off as of today. Is there a php command to over-ride this if necessary rather than dealing with each and every variable name?

Place a php.ini with the command "register_globals = On" in the directory where you require globals on??

**AndrewT** · 07-26-2007, 02:16 PM

Elite is absolutely correct.

Rumor has it that PHP will even stop supporting register_globals at some point down the road. It also can pose a security risk if inputs are not properly validated or initialized. I strongly recommend not depending on register_globals being enabled.

php globals

php globals

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment