intended audience
introduction
register_globals
how do the variables get to php?
from the url
from a form
from a cookie
from the environment or the server
use the superglobals!
why are they called superglobals?
other coding techniques
ways to hack
summary
about the author
intended audience
prior to php 4.2.0, the default value for the php configuration parameter register_globals was on. many php programmers took advantage of the ease of use this configuration provided.
this article is intended for php programmers who have, in the past, relied on the register_globals on, and now wish to change their coding style to reflect the new default for this parameter. it will also be of interest to programmers using an isp hosted php environment where they do not control the values of the php configuration file.
introduction
i consider one of the strengths of php the easy learning curve. php allows for embedding small portions of php into an html file, allowing html authors to ease into the language. php has a very c-like syntax, allowing for easy transition of programmers familiar with c. weak variable typing, the flexibility and power of php many extensions, and abundant examples and articles on the internet also contribute to the easy learning curve for php.
one recent change in php may increase the learning curve some. with the release of php 4.2.0, the default value for register_globals is now off. this takes away one of the features that made php so easy to learn (a problem which it is the goal of this article to rectify).
why was this done? in a word: security. you code is inherently more stable when you initialize and know where each variable in your source is coming from. caution must always be taken when receiving input from a user, and allowing the user to arbitrarily make variables in your code is not good coding practice. this is perhaps better explained by the php developers themselves in http://www.php.net/release_4_1_0.php (see the section titled security: new input mechanism) and http://www.php.net/manual/en/security.registerglobals.php.
register_globals
the register_globals configuration parameter is controlled in your php.ini file. see http://www.php.net/manual/en/configuration.php for more information on the configuration file. the register_globals parameter http://www.php.net/manual/en/configuration.php#ini.register-globals can take two values, on or off. prior to php version 4.2, on was the default, but this has now changed, and modifying your coding to accommodate this change is the subject of this article.
how do the variables get to php?
experienced php programmers who have used url query parameters, forms and cookies will find this section redundant, and may wish to go directly to the section on superglobals.
variables come from many sources. once source is initializing them yourself, $var = ’value’;. described in the following sections are several other ways to get variables into your script, including as part of the url, a form, a cookie, or part of the environment the server runs in. these examples are described from the perspective of a server using register_globals on, and you will learn later in the article how and where to get these values with register_globals off.
from the url
one of the most common ways to get information is by passing query parameters. the following is the anatomy of a url (for more information on parsing a url in php see http://www.php.net/manual/en/function.parse-url.php ):
scheme controls the protocol used by the client and server for the request. http and https are the most common protocols used, but you might specify another like ftp.
user and password information for basic http authentication can be passed as part of the url.
host is the ip address or dns name for the server reference by this url.
port is the tcp/ip port to use on the server, 80 is standard for http, and 443 is standard for https.
path is the location and name of the script on the server.
query is parameters passed by the url.
fragment is the scroll target within the html document.
the portion of the url we are most interested in here is the query parameters portion. with the register_globals on, the script.php would automatically have $var = ’val’; and $foo = ’bar’; set as global variables for the script to access.
whenever a query parameter is specified in the script’s url, php will create a global array called $http_get_vars. this is an associative array of the key => value pairs from the url query parameters. from the example above, php will automatically create $http_get_vars = array (’var’ => ’val’, ’foo’ => ’bar’);.
since php 4.1.0, a global variable called $_get will contain the same array as $http_get_vars. this array is a superglobal and will be discussed in greater detail later in this article.
from a form
another very common way to get input variable to a script is from a form on a web page. included below is an example of how a web page might render, including the html source:
when a user clicks the "send!" button, the browser will submit the form to script.php with a post variable called $foo having the value the user entered into the text box on the web form. with register_globals on, the script.php would have $foo = ’bar’; available as a global variable by default.
similar to the query parameter example, whenever a browser submits a form to a php script, php will automatically create $http_post_vars as an associative array of key => value pairs for all of the form inputs. the example above would result in the automatic creation of $http_post_vars[’foo’] = ’bar’;.
with php 4.1.0 and greater, the variable $_post will contain the same associative array.
from a cookie
web pages by nature are stateless, meaning that each time a web page is retrieved it is generated using information passed in the request. this fact presented a challenge for early web development, where designers wanted to maintain state throughout an entire interaction with a user, possibly across many web page requests on the site. the concept of cookies was developed to pass the information required to maintain this state, both for the duration of the user’s current browsing session, and longer term by "dropping" a cookie on the user’s hard drive.
if the following code was placed on a script, before any other output was sent, a cookie will be set:
/* set cookie for 1 day */
setcookie(’foo’, ’bar’, time()+86400, ’’, $http_host);
note: astute observers will notice an obsolete global variable in the $http_host used in the example. with register_globals = ’off’, this would need to be $_server[’http_host’].
a link on this page, to the same server, will pass $foo = ’bar’; as a cookie variable for the script.
from the environment or the server
the operating system environment, and the web server, has many variables that can be used by the script. one of the most common uses of a server variable is to retrieve the name of the script itself or, as in the example above, the name of the host.
php creates additional associative arrays as $http_env_vars and $http_server_vars. after php 4.1.0, these same arrays are defined in $_env and $_server.
use the superglobals!
now that you understand how these variables get to php, and that they are not automatically created for you by php when the register_globals setting off, it is time to identify what you can do with your coding style to adjust to the new default.
your first choice is to use the new superglobal arrays, after all, that is what they were added for! this should be your preferred method, especially if you only intend to use the value once in your script (print ’your ip address is:’ . $_server[’remote_addr’]; ).
if you intend to use a value more than once, you can assign the value to a variable ($mode = $_get[’mode’]; ) instead of explicitly referencing the superglobal each time.
why are they called superglobals?
normally, any variable used in a function is local in scope to that function. this means if you wanted to use the global $http_get_vars array values in a function, you would need to first use the statement global $http_get_vars; before referencing this array.
superglobals are an exception to this rule. you may use the variables $_get, $_post, $_cookie, $_env, $_server and $_session without having to reference them as globals first. there is also one additional superglobal array, $_request. this array contains all of the variables from get, post or cookie methods (basically anything that could be sent by the user, and which is therefore suspect).
note: you cannot use a variable variable to access the superglobal arrays in functions. for example, the following code will not work:
<?php
function foo()
{
$sg = ’_get’;
return ${$sg}[$var];
}
?>
the foo() function described above will not return values from the $_get superglobal array.
other coding techniques
i found myself wanting to revert back to the easy way of having my variables registered for me. however, knowing the security risks, i instead wrote some helper functions to ease the transition.
the first function i wrote was register() :
<?php
/**
* return a value from the global arrays
*
* @author jason e. sweat
* @since 2002-02-05
* @param string $varname
* the name of the variable to register
*
* @param string $defval optional
* the value to return if not found
*
* @return string the value of the variable if
* registered, else the default
*/
function register($varname, $defval=null)
{
if (array_key_exists($varname, $_server)) {
$retval = $_server[$varname];
} elseif (array_key_exists($varname, $_cookie)) {
$retval = $_cookie[$varname];
} elseif (array_key_exists($varname, $_post)) {
$retval = $_post[$varname];
} elseif (array_key_exists($varname, $_get)) {
$retval = $_get[$varname];
} elseif (array_key_exists($varname, $_env)) {
$retval = $_env[$varname];
} else {
$retval = $defval;
}
return $retval;
}
?>
this function now allows you to "register" variables you expect to have passed to the script. i normally use this by doing $mode = register(’mode’);. the function is defined to follow the default variables_order parameter from the php.ini file (http://www.php.net/manual/en/configuration.php#ini.variables-order ), and therefore will return an identical result to php with register_globals on (if assigned to a variable with the same name as you are registering). this function also allows you to specify a default value you would like to have the variable initialized with if the value is not found in any of the superglobal arrays.
this function had one drawback, it will always return a value, and therefore always initialize a variable to something. i had some instances in my code where i wanted to use isset() to determine if a value had been passed. in order to accommodate this behavior, i used a different function to register the values.
<?php
/**
* set a global variable if the specified get
* or post var exists
*
* @author jason e. sweat
* @since 2002-04-25
* @param string $test_vars
* the array of the vars to
* register, will accept a string
* name for a single var as well
*
* @global the variable, if it is set
*/
function getpost_ifset($test_vars)
{
if (!is_array($test_vars)) {
$test_vars = array($test_vars);
}
foreach($test_vars as $test_var) {
if (isset($_post[$test_var])) {
global $$test_var;
$$test_var = $_post[$test_var];
} elseif (isset($_get[$test_var])) {
global $$test_var;
$$test_var = $_get[$test_var];
}
}
}
?>
this function will allow you to pass an array of strings for variables to register. if any of the variable were passed in either the get or post methods, they will be set as global values, otherwise you will still be able to check the values using isset() to see if they were passed.
this function is also particularly good for writing a form handler script since you can initialize an array of values easily (getpost_ifset(array(’username’, ’password’, ’password2’)); ).
ways to hack
i can already hear the excuses: "i don’t have enough time", or "the program is third party code and i do not want to learn and maintain it".
if you must hack your way around the register_globals off default value, i would suggest reading up on the import_request_variables() function (http://www.php.net/manual/en/function.import-request-variables.php) or reviewing some of the reader posted comments related to the extract() function (http://www.php.net/manual/en/function.extract.php).
summary
you should now be familiar with the various means of getting variables into a php script, and a variety of coding methods available to you to accommodate the change of the register_globals default from on to off. best of luck to you, and happy (and secure) coding!
about the author
jason has worked as an it professional since graduating from colorado state university in 1992. he is currently an application developer, and the web master, for a business unit of a fortune 100 company, and maintains a server at home for educational and home business purposes. he currently resides in iowa with his wife and two children. please feel free to post any comments or questions below, or send them to jsweat_php@yahoo.com.