[Wylug-help] PHP - register_globals OFF problem

Andy Macdonald andy at greenhead.ac.uk
Fri, 10 Jan 2003 13:04:37 GMT 

Just in case anyone else hasn't got an elegant way out of the register_globals
OFF problem in PHP - well as elegant as PHP can be anyway!

I found this nice function to handle global variables which can be added as a
function in an include file for all scripts. Then all that is required is one
line to declare the global variables and then they are available as before - no
other code needs changing! As mentioned on the website referred to - this isn't
much more secure than global variables as hackers just have to try each of the
5 methods ... but see 'Example 5-16. Detecting simple variable poisoning' at
the URL below, the idea of which I will try to incorporate into this function
..

{sorry if my email editor mangles long lines}

Ref: http://www.php.net/manual/en/security.registerglobals.php
in Comment by: djresonance at yahoo dot com

"I think a better solution is to register each variable along with the request
method from which that variable came seperatly.  To that end, I wrote a
function which does exactly that.  This function accepts a variable number of
arguments.  The first argument should be the request method you want to get the
variable from, and the rest are the variables that you want to register in the
global namespace.  I used $HTTP_*_VARS instead of $_* for compatibility with
older versions of php:

/**
* Registers global variables
*
* This function takes global namespace $HTTP_*_VARS variables from input and *
if they exist,
* register them as a global variable so that scripts can use them.  The first *
argument
* signifies where to pull the variable names from, and should be one of GET, *
POST, COOKIE, ENV, or SERVER.
*
*/
function pt_register()
{
  $num_args = func_num_args();
   $vars = array();

   if ($num_args >= 2) {
       $method = strtoupper(func_get_arg(0));

       if (($method != 'SESSION') && ($method != 'GET') && ($method != 'POST')
&& ($method != 'SERVER') && ($method != 'COOKIE') && ($method != 'ENV')) {
           die('The first argument of pt_register must be one of the following:
GET, POST, SESSION, SERVER, COOKIE, or ENV');
     }

       $varname = "HTTP_{$method}_VARS";
      global ${$varname};

       for ($i = 1; $i < $num_args; $i++) {
           $parameter = func_get_arg($i);

           if (isset(${$varname}[$parameter])) {
               global $$parameter;
               $$parameter = ${$varname}[$parameter];
          }

       }

   } else {
       die('You must specify at least two arguments');
   }

}

You can then register your global variables for use like this:

// register a GET var
pt_register('GET', 'user_id', 'password');
// register a server var
pt_register('SERVER', 'PHP_SELF');
// register some POST vars
pt_register('POST', 'submit', 'field1', 'field2', 'field3');"

--
Andy Macdonald
Network Manager, Greenhead College
Huddersfield, HD1 4ES, England.
Tel: 01484 422032
Mobile: 07932 635057
See award winning web site:
http://www.greenhead.ac.uk