Web Analytics Made Easy -
StatCounter register_globals Q&A - CodingForum

Announcement

Collapse
No announcement yet.

register_globals Q&A

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • register_globals Q&A

    I have some questions about register_globals as I see many Unix servers have it on, and many Windows Servers have it off.

    My "Assumption" of register_globals being off is that, as an example you could call a form field name using a register_global and get the form data from another site on the same server, Provided you know the form field names on a given site.

    Is this TRUE / FALSE?

    If this is true, I can understand why having it off, if it is FALSE then why is register_globals set to OFF by default?

    As well, is it only by default for Windows Installs or both Unix and Windows?

    Educate Me!
    .::: livemotioncentral | phoenixnow | techiewidows | jonsresume :::.

  • #2
    example is best ?

    with the url www . domain.com?yak=good , passed to a server ..

    with register_globals = off

    echo $yak; // prints nothing , as $yak is undefined
    echo $_GET['yak'] ; // prints 'good' as the super_global $_GET['yak'] is created.

    with register_globals = on

    echo $yak; // prints 'good' as any _GET vars are automatically registered
    echo $_GET['yak'] ; // still prints 'good' as the super_global $_GET['yak'] is created.


    The recommended PHP configuration is now with register_globals = off (recommended by PHP not my opinion on the matter) on any platform.

    this also applies to _POST , _COOKIE , _SESSION , _SERVER & _FILES data . Also the super_global _REQUEST contains all of the _POST,_COOKIE & _GET data

    Most shared hosts are reluctant to switch to register_globals=off as this would break many pre-installed scripts and annoy a lot of users who have not yet thought to ask the question that you did !
    Last edited by firepages; Feb 12, 2004, 01:28 PM.
    resistance is...

    MVC is the current buzz in web application architectures. It comes from event-driven desktop application design and doesn't fit into web application design very well. But luckily nobody really knows what MVC means, so we can call our presentation layer separation mechanism MVC and move on. (Rasmus Lerdorf)

    Comment


    • #3
      Thank you, my "final question" is could I still use $_GET['yak'] to get a variables value from some one elses form, the same way as using $yak; with register_globals on?

      The conern is pulling information from other sites forms, etc...

      ... and I am asking because Im at a host provider that has it off.

      .::: livemotioncentral | phoenixnow | techiewidows | jonsresume :::.

      Comment


      • #4
        not quite sure what you mean ... if you mean siteA has a form which gets posted to a script on your server then only the settings on your server are of any concern.

        Basically unless your PHP version is really old (<4.1.0) then just use $_GET['yak'] or $_POST['yak'] as then you can't go wrong , they are available regardless of register_globals configuration.

        If you are unsure whether an incoming request is going to be POST or GET , you can use
        <?php echo $_REQUEST['yak'];?>
        as that covers them both.

        <edit>beat ya Mordred by about a second I reckon</edit>
        resistance is...

        MVC is the current buzz in web application architectures. It comes from event-driven desktop application design and doesn't fit into web application design very well. But luckily nobody really knows what MVC means, so we can call our presentation layer separation mechanism MVC and move on. (Rasmus Lerdorf)

        Comment


        • #5
          The answer is "yes".

          But I think your view of the process is not correct. You don't get variables from other site's forms, it's rather that other site's forms submit data to your script on your server. The process is initiated on the other site, and PHP is capable to reach the data that was explicitly sent to your script, be it GET, POST, cookies... whatever.

          $_GET basically gives you nothing more but array acces to that what's in the query string (everything right from the question mark in an URL).

          Has the process become clearer now?
          De gustibus non est disputandum.

          Comment


          • #6
            I guess I can say that, I have known how to work with this issue, but still do not understand why they have it off... I must say, I am a bit "dense" but what is the reason for even having it off, I do not see the security risk...

            .::: livemotioncentral | phoenixnow | techiewidows | jonsresume :::.

            Comment


            • #7
              Unf, I got it. Life is short...
              .::: livemotioncentral | phoenixnow | techiewidows | jonsresume :::.

              Comment

              Working...
              X