[Wylug-help] PHP / MySQL development question

Smylers Smylers at stripey.com
Sat Oct 20 21:21:47 BST 2007 

Roger Beaumont writes:

> During the replacement process I came across code like:
> ------------------------------------------------

Suppose $HTTP_GET_VARS's contents is the same as if it had been
initialized with:

  $HTTP_GET_VARS = array(name => 'Compo', footware => 'wellies');

Then this:

> // REGISTER GLOBALS
> while($vars=each($HTTP_GET_VARS)) {

will the first time through set $vars to have these 2 elements:

  $vars = array(key => 'name', value => 'Compo');

> 	$$vars["key"]=$vars["value"];

The precedence there makes the above equivalent to:

  ${$vars[key]} = $vars[value];

$vars[key] is of course 'name', and $vars[value] is 'Compo', so that is
the same as doing:

  $name = 'Compo';

And then the next time round the loop it'll do:

  $footware = 'Wellies';

That is, each entry in $HTTP_GET_VARS is being promoted to being a
separate variable with the equivalent name -- which is what used to
happen in PHP, and indeed still happens if register_globals is enabled
in the configuration.

>  	$_SESSION[$vars["key"]]=$vars["value"]; }

That is copying each entry in $HTTP_GET_VARS into $_SESSION, presumably
so they all get propagated to future pages visited by the current user.

> while($vars=each($HTTP_POST_VARS)) {
> 	$$vars["key"]=$vars["value"];
> 	$_SESSION[$vars["key"]]=$vars["value"]; }

Unsurprisingly that's repeating the whole thing for post variables.

> // END REGISTER GLOBALS
> ------------------------------------------------
> To make it more opaque, in some files that snippet was commented out, while 
> in others it wasn't.

Well it's only needed for code which has been written presuming
register_globals is enabled.  That has not been the recommended way of
coding for several years, so it may be that it's only needed in some
legacy files; more recently written files may access the variables
differently.

> When I looked at the documentation on predefined variables, that says:
> "You don't need to do a global $_GET; to access it within functions or
> methods, as you do with $HTTP_GET_VARS." - plus the equivalent for the
> other corresponding arrays.  That suggests to me that the whole
> snippet could have been replaced by:
> -----------------------------------------------
> global $HTTP_GET_VARS, $HTTP_POST_VARS;
> -----------------------------------------------

Nope.  The code above has no mention of global, and no effect on
variable scope: $name and $footware will have exactly the same scope as
$HTTP_GET_VARS (presumably the main program), and if used in any
functions will need appropriate global declarations.

Your suggestion would make $HTTP_GET_VARS available inside functions,
but that doesn't do any good if the code is looking for the values
inside separate variables like $footware.  (Also, it doesn't populate
$_SESSION, which may cause problems for other pages.)

> Assuming that the snippet does do what the comments say,

It does.  But the comments don't mean what you think they mean!

> then I think that changing all use of $HTTP_GET_VARS to $_GET (etc.)
> makes the snippet (in either form) redundant anyway.

$HTTP_GET_VARS was ill-thought-through; there's no need ever to use it
now that $_GET is available.  So using $_GET is indeed an improvement
and would remove the need any global declarations.

But the only way you can safely remove any still-in-use instances of the
above loop is to locate every variable in the entire program which could
possibly have been set by an HTML form parameter and replace it with the
$_GET or $_POST equivalent.  Because of the use of $$vars[key], that
could in theory be any variable at all.

Smylers

More information about the Wylug-help mailing list