Dealing with register_globals

StackOverflow https://stackoverflow.com/questions/2026361

  •  19-09-2019
  •  | 
  •  

Question

I am not sure whether this would be good to be marked as community wiki, but anyway:

Is there an easy way to kill the register_globals? I'm working on a PHP Framework and right now, I just set the script to terminate if register_globals is On. Although I prefer to force people to disable it, there are servers that still have that on.

I know that in PHP 5.3.0 register_globals is deprecated and in PHP 6 it will be completely removed, but it is always a good thing to deal with it while it is still here.

I saw some ways, and I'm currently thinking on using this:

$temp = array_merge($_GET, $_POST, $_COOKIE);
foreach($temp as $k => $v) {
    if(isset($$k)) unset($$k);
}

There are some problems over here, though. It is resource incentive, specially when there's a lot of input data. I am not sure whether disabling it on runtime would work, for example:

ini_set('register_globals', 'Off')

Is there a better way that I haven't heard of to get rid of register_globals? Thanks.

Was it helpful?

Solution

There are methods of dealing with register_globals described in the PHP manual. The register_globals ini setting can't be set at runtime by ini_set(), so if you can't do it with an .htaccess or web server configuration file, the method provided there would be the official workaround.

It basically provides this snippet of code to emulate compatibility:

<?php
// Emulate register_globals off
function unregister_GLOBALS()
{
    if (!ini_get('register_globals')) {
        return;
    }

    // Might want to change this perhaps to a nicer error
    if (isset($_REQUEST['GLOBALS']) || isset($_FILES['GLOBALS'])) {
        die('GLOBALS overwrite attempt detected');
    }

    // Variables that shouldn't be unset
    $noUnset = array('GLOBALS',  '_GET',
                     '_POST',    '_COOKIE',
                     '_REQUEST', '_SERVER',
                     '_ENV',     '_FILES');

    $input = array_merge($_GET,    $_POST,
                         $_COOKIE, $_SERVER,
                         $_ENV,    $_FILES,
                         isset($_SESSION) && is_array($_SESSION) ? $_SESSION : array());

    foreach ($input as $k => $v) {
        if (!in_array($k, $noUnset) && isset($GLOBALS[$k])) {
            unset($GLOBALS[$k]);
        }
    }
}

unregister_GLOBALS();

?>

OTHER TIPS

You could add php_flag register_globals off to your .htaccess file, although not all servers accept this. So if you're planning to publish your framework, it might not be a good idea.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top