PHP is an evolving language. Part of that evolution, as with any web technology, is the plugging of security holes. This article addresses one of those security topics.... the "register_globals" directive in the PHP.ini file.
The PHP.ini file contains a number of settings and directives that control the way the PHP engine interacts with web pages and the web server and server environment. As a web designer, you rarely have control over those settings. Unless you own your own server, they're set by the web server administrator at your ISP. However, in many cases, the settings determine how your PHP code will be executed. So understanding how they affect your coding is obviously important.
For the moment, we're concerned with the "register_globals" directive and how it determines how form variables are referenced in the server environment. The directive itself has been around for quite some time. In early versions of PHP 4, it was set to "On". Starting with PHP 4.2.0, it was set to "Off" by default.
Why the change? For added security. When a form is submitted, the values of the input fields on the form are passed as variables to the receiving script or page named in the form action. With register globals turned on, the variables may be referenced by their short form.
For example: $shortform.
This form is really convenient because..well..it's short. However, it's also easy for an attacker to fake the information by passing their own input to your scripts (form action). Your script has no way of knowing whether the input came from your form or another source.
Accessing Form Variables with Register Globals OFF
With this setting, form variables may referenced as members of an array. There are some options here as well. Remember that evolution thing?
Prior to PHP 4.1.0 - the form information was stored in arrays named $HTTP_POST_VARS and $HTTP_GET_VARS. Form data may be sent via either the POST or GET method, so the array matching the method applies.
Starting with PHP 4.1.0 - form created variables are now available in the arrays mentioned above AND in three new arrays; $_POST, $_GET and $_REQUEST. One of the first two will contain your form information (depending on the method again). It will also be available via the third array, in the event you use mixed methods. For instance, you use POST as your form method, but you also include GET information as part of the Form Action URL.
Some Examples
|