Useful for shared hosting or scripts that you are sharing with other people.
<?php
// Effectively turn off dangerous register_globals without having to edit php.ini
if (ini_get(register_globals)) // If register_globals is enabled
{ // Unset $_GET keys
foreach ($_GET as $get_key => $get_value) {
if (ereg('^([a-zA-Z]|_){1}([a-zA-Z0-9]|_)*$', $get_key)) eval("unset(\${$get_key});");
} // Unset $_POST keys
foreach ($_POST as $post_key => $post_value) {
if (ereg('^([a-zA-Z]|_){1}([a-zA-Z0-9]|_)*$', $post_key)) eval("unset(\${$post_key});");
} // Unset $_REQUEST keys
foreach ($_REQUEST as $request_key => $request_value) {
if (ereg('^([a-zA-Z]|_){1}([a-zA-Z0-9]|_)*$', $request_key)) eval("unset(\${$request_key});");
}
}
?>
章 29. 使用 Register Globals
可能 PHP 中最具争议的变化就是从 PHP 4.2.0 版开始配置文件中 register_globals 的默认值从 on 改为 off 了。对此选项的依赖是如此普遍以至于很多人根本不知道它的存在而以为 PHP 本来就是这么工作的。本节会解释用这个指令如何写出不安全的代码,但要知道这个指令本身没有不安全的地方,误用才会。
当 register_globals 打开以后,各种变量都被注入代码,例如来自 HTML 表单的请求变量。再加上 PHP 在使用变量之前是无需进行初始化的,这就使得更容易写出不安全的代码。这是个很艰难的抉择,但 PHP 社区还是决定默认关闭此选项。当打开时,人们使用变量时确实不知道变量是哪里来的,只能想当然。但是 register_globals 的关闭改变了这种代码内部变量和客户端发送的变量混杂在一起的糟糕情况。下面举一个错误使用 register_globals 的例子:
当 register_globals = on 的时候,上面的代码就会有危险了。如果是
off,$authorized 就不能通过如 URL
请求等方式来改变,这样就好多了,尽管初始化变量是一个良好的编程习惯。比如说,如果在上面的代码执行之前加入
$authorized = false 的话,无论 register_globals 是 on 还是
off 都可以,因为用户状态被初始化为未经认证。
另一个例子是关于会话的。当 register_globals = on
的时候,$username 也可以用在下面的代码中,但要意识到
$username 也可能会从其它途径进来,比如说通过 URL 的 GET。
采取相应的预防措施以便在伪造变量输入的时候给予警告是完全有可能的。如果事先确切知道变量是哪里来的,就可以检查所提交的数据是否是从不正当的表单提交而来。不过这不能保证变量未被伪造,这需要攻击者去猜测应该怎样去伪造。如果不在乎请求数据来源的话,可以使用
$_REQUEST 数组,它包括了 GET、POST 和 COOKIE
的所有数据。详情可参见本手册的来自 PHP 之外的变量。
当然,单纯地关闭 register_globals 并不代表所有的代码都安全了。对于每一段提交上来的数据,都要对其进行具体的检查。永远要验证用户数据和对变量进行初始化!把 error_reporting() 设为 E_NOTICE 级别可以检查未初始化的变量。
更多关于模拟 register_globals 为 on 或 off 的信息,请见此 FAQ。
Superglobals 可用性说明: 自 PHP 4.1.0 起,可以使用超全局数组变量例如
$_GET,$_POST和$_SERVER等等。更多信息请阅读手册中的 superglobals。
add a note
User Contributed Notes
alan hogan
20-Jul-2007 03:08
20-Jul-2007 03:08
Timbo
14-Jul-2007 03:25
14-Jul-2007 03:25
In response to the above post by Caliwebman at yahoo dot com, a.k.a. "Gentle Warrior" who complained about the lack of documentation on register_globals:
I think this code snippet will address the *main* source of his confusion:
<?
function readyToBeAProgrammer()
{
$stuff=$_URINALYSIS['test'];
if($stuff == THC)
{
return false;
}
else
{
return true;
}
// register_globals is all about knowing where your variables are really coming from
// what if a malicious user tried to pass off
// $stuff=$_GET['someone_elses_drop']; // as $stuff ?
// preventing this kind of substitution is the whole point
// of disabling register_globals
}
if(!readyToBeAProgrammer())
{
die("Switch to coffee, man!");
}
?>
P.S., let's give it up in appreciation for the moderators who must sit though and clean up these boards, facetious posts like mine included...
caliwebman at yahoo dot com
10-Jul-2007 10:29
10-Jul-2007 10:29
U know what I find incredibly insane? The fact that no where on the first pages <<<PLURAL does anyone even suggest where to find this code. And IF it exists in a file called "register_globals-etc..." than I have no clue why none of my sites have this file. It amazes me that we here on this side have made things so incredibly difficult on ourselves and the newer coders. Why? I thought that was what Microsoft was doing but quite honestly follks, we here on this side have MS beat when it comes to making things MUCH more of a challenge than they need be.
PLEASE, please dumb things down. And if you can't? ASK someone who is NOT in your bubble of code to review what you are writing in your dirstructions.... directions.... ask someoen like your MOM or DAD who know nothing of the code.
We sure would get going mch more quickly if we all paid attenttion to this simple rule.... and lastly, the front end designers are finally getting it together..... thank you, but again, remember, THE 3 CLICK RULE!!!
Peace,
Gentle Warrior
Scott
29-Jun-2007 05:19
29-Jun-2007 05:19
I couldn't get any of the suggested ways to disable register_globals to work in what I believe to be an Apache environment, where even phpinfo() is disabled. I finally had to resort to
foreach(array_keys($_REQUEST) as $field)
{
unset(${$field});
}
to get the $_REQUEST array without auto-setting all the request variables. I'm somewhat new to the whole PHP thing and wonder if there is a downside to this that I don't see.
someone at example dot com
17-Apr-2007 07:14
17-Apr-2007 07:14
In reply to yyalcinkaya at ku edu tr you could just do this with $_REQUEST:
foreach($_REQUEST as $k => $v)
{
${$k} = $v;
}
...though doing something like this is asking for a world of trouble IMHO.
yyalcinkaya at ku edu tr
28-Mar-2007 10:37
28-Mar-2007 10:37
if you want to keep register_globals off you can use this codes instead.
foreach($_POST AS $key => $value) {
${$key} = $value;
}
foreach($_GET AS $key => $value) {
${$key} = $value;
}
alan at xensource dot com
15-Nov-2005 05:00
15-Nov-2005 05:00
From the PHP Manual page on Using register_globals:
Do not use extract() on untrusted data, like user-input ($_GET, ...). If you do, for example, if you want to run old code that relies on register_globals temporarily, make sure you use one of the non-overwriting extract_type values such as EXTR_SKIP and be aware that you should extract in the same order that's defined in variables_order within the php.ini.
Dexter at dexpark dot com
06-Nov-2005 02:59
06-Nov-2005 02:59
For Apache users or webhosters, you can set the
php_flag register_globals on/off in a VirtualHost context.
dyer85 at gmail dot com
05-Nov-2005 06:10
05-Nov-2005 06:10
I'd suggest taking a look at php.net's source code for these user notes, if you want to get ideas on some nice ways to collect and validate user data.
http://php.net/source.php?url=/manual/add-note.php
hbinduni at gmail dot com
30-Oct-2005 09:06
30-Oct-2005 09:06
[quote]
If you're under an Apache environment that has this option enabled, but you're on shared hosting so have no access to php.ini, you can unset this value for your own site by placing the following in an .htaccess file in the root:
php_flag register_globals 0
[/quote]
adding php_flag in .htaccess under apache 2 will cause internal server error. according to apache 2 manual, php_flag should goes to <virtual> or <directory> section.
ramosa (0) gmail dotty com
24-Sep-2005 04:24
24-Sep-2005 04:24
Here's a one liner that works both with register globals on or off, and is even secure enough when it's on, as you make sure you init the var.
Using the ?: operator
$variable = isset($_GET["variable"]) ? $_GET["variable"] : "";
kcinick at ciudad dot com dot ar
18-May-2005 10:12
18-May-2005 10:12
if you plan to use php_admin_value register_globals [0-1] inside <VirtualHost> in apache, forget it, it don't show any error messages in the configuration, but at the time of running, it enable and disables register_globals at random request, if you need to customize this param to multiple virtual host, put it in a <Directory> directives, it works fine there...
PD: same for safe_mode, etc...
ryanwray at gmail dot com
24-Nov-2004 03:03
24-Nov-2004 03:03
In reply to ben at nullcreations dot net:
This is true of the super-global $_SESSION, as it will always be processed last (it is not considered in variables_order directive)
However, it is possible to over-write other data, namely GET, POST, COOKIE, ENVIROMENT and SERVER.
Of course, what you can overwrite will depend on the directive variables_order - by default, you could overwrite GET and POST data via COOKIE (because cookie data is processed last out of the three which should not really be of great concern.
My below code is irrelevant unless extract or another method which does the same thing (ie. I have seen variable variables used before to reach the same affect) is used.
ben at nullcreations dot net
23-Nov-2004 12:53
23-Nov-2004 12:53
Just a note to all the people who think $_SESSION can be poisoned by register_globals - it can't.
Consider the fact that GET/POST/COOKIE is Processed *before* sessions are. This means that even if you have register_globals on, and they write to $_SESSION, $_SESSION will just get reset again with the appropriate values.
Some people take to using extract() as a means to simulate register_globals in scripts where they're not sure what the server environment will be - this is when you should worry about such things. The reason is because extract() can concievably occur after GET/POST/COOKIE and SESSION processing.
snarkles <anything at $myname dot net>
19-May-2004 07:06
19-May-2004 07:06
If you're under an Apache environment that has this option enabled, but you're on shared hosting so have no access to php.ini, you can unset this value for your own site by placing the following in an .htaccess file in the root:
php_flag register_globals 0
The ini_set() function actually accomplishes nothing here, since the variables will have already been created by the time the script processes the ini file change.
And since this is the security chapter, just as a side note, another thing that's helpful to put into your .htaccess is:
<Files ".ht*">
deny from all
</Files>
That way no one can load .htaccess in their browser and have a peek at its contents.
Sorry, not aware of a similar workaround for IIS. :\
dav at thedevelopersalliance dot com
18-Dec-2003 06:38
18-Dec-2003 06:38
import_request_variables() has a good solution to part of this problem - add a prefix to all imported variables, thus almost eliminating the factor of overriding internal variables through requests. you should still check data, but adding a prefix to imports is a start.