Intended audience
Introduction
Register_globals
How does the variables get to PHP?
From the URL
From a Form
From a Cookie
From the environment or the Server
Use the superglobals!
Why are they called superglobals?
Other coding techniques
Ways to Hack
Summary
About the Author
Intended audience
Prior to PHP 4.2.0, the default value for the PHP configuration parameter register_globals is on. Many PHP programmers took advantage of the ease of use this configuration provided.
This article was intended for PHP programmers who have, in the past, relied on the register_globals on, and now wish to Cha Nge their coding style to reflect the new default for this parameter. It'll also be of the interest to programmers using a ISP hosted PHP environment where they do is PHP configuration file.
Introduction
I consider one of the strengths of PHP the Easy learning curve. PHP allows for embedding small portions of PHP in HTML file, allowing HTML authors to ease into the language. PHP has a very c-like syntax, allowing for easy transition of programmers, familiar with C. Weak variable typing, the flexi Bility and Power's PHP many extensions, and abundant examples and articles on the Internet also contribute to the easy Le Arning curve for PHP.
One recent change in PHP increase the learning curve some. With the "release of" PHP 4.2.0, the default value for Register_globals was now. This takes away one of the features which made PHP so easy to learn (a problem which it's the goal of this article to rect ify).
Why was the done? In a word:security. You are inherently more stable when your initialize and know where each variable in your The source is coming from. Caution must always is taken when receiving input from a user, and allowing the user to arbitrarily make variables in your The code is not good coding practice. This is perhaps better explained from the PHP developers themselves in http://www.php.net/release_4_1_0.php (the Titled Security:new INPUT Mechanism) and http://www.php.net/manual/en/security.registerglobals.php.
Register_globals
The register_globals configuration parameter is controlled in your php.ini file. The information on the configuration file is http://www.php.net/manual/en/configuration.php for the. The register_globals parameter http://www.php.net/manual/en/configuration.php#ini.register-globals can take two Values, on or off. Prior to PHP version 4.2, on is the default, but this has now changed, and modifying your coding to accommodate this Chan GE is the subject of this article.
How does the variables get to PHP?
Experienced PHP programmers who have used URL query parameters, forms and cookies would find this section redundant, and MA Y wish to go directly in superglobals.
Variables come from many sources. Once source is initializing them yourself, $var = ' value ';. Described in the following sections are several other ways to get variables into your script, including as part of the URL , a form, a cookie, or part of the environment the "server runs in." These examples are described to the perspective of a using register_globals on, and to you learn later in the A Rticle and where to get these values with Register_globals off.
From the URL
One of the most common ways to get information was by passing query parameters. The following is the anatomy of a URL (for more information on parsing a URL in PHP ion.parse-url.php):
Scheme controls the protocol used by the client and server for the request. Http and HTTPS are the most common protocols used, but you might specify-like FTP.
User and password information for basic HTTP authentication can is passed as part of the URL.
Host is the IP address or DNS name to the server reference by this URL.
The port is the "TCP/IP port to" standard for HTTP, and 443 are standard for HTTPS.
The Path is the location and name of the script on the server.
The Query is parameters passed by the URL.
Fragment is the scroll target within the HTML document.
The portion of the URL we are most interested in this is the query parameters portion. With the register_globals on, the script.php would automatically have $var = ' Val '; and $foo = ' bar '; Set as global variables for the script to access.
Whenever a query parameter is specified the script ' s URL, PHP would create a global array called $HTTP _get_vars. This is a associative array of the key => value pairs from the URL query parameters. From the example above, PHP'll automatically create $HTTP _get_vars = Array (' var ' => ' Val ', ' foo ' => ' Bar ');.
Since PHP 4.1.0, a global variable called $_get'll contain the same array as $HTTP _get_vars. This array is a superglobal and would be discussed in greater detail later in this article.
From a Form
Another very common way to get input variable to a script are from form a Web page. Included Below is a example a Web page might render, including the HTML Source:
When a user clicks the "send!" button, the browser would submit the form to script.php with a post variable called $foo hav ing the value the user entered into the "text box" on the Web form. With Register_globals on, the script.php would have $foo = ' bar '; Available as a global variable by default.
Similar to the query parameter example, whenever a browser submits a form to a PHP script, PHP would automatically create $ Http_post_vars as a associative array of key => value pairs for the form inputs. The example above would result in the automatic creation of $HTTP _post_vars[' foo '] = ' bar ';.
With PHP 4.1.0 and greater, the variable $_post would contain the same array.
From a Cookie
Web pages by nature are stateless, meaning this time a Web page was retrieved it is generated using information passed In the request. This fact presented a challenge for early web development, where designers wanted to maintain state throughout a entire I Nteraction with a user, possibly across many Web page requests on the site. The concept of cookies is developed to pass the information required to maintain this state, both for the duration of the User ' s current browsing session, and longer term by "dropping" a cookie on the user's hard drive.
If The following code is placed on a script and before any other output is sent, a cookie would be set:
/* Set Cookie for 1 day */
Setcookie (' foo ', ' Bar ', Time () +86400, ', $HTTP _host);
Note:astute observers would notice a obsolete global variable in the $HTTP _host used in the example. with register_globals = "Off", this is would need to be $_server[' http_host '.
A link on this page, to the same server, would pass $foo = ' bar '; As a cookie variable for the script.
From the environment or the Server
The operating system environment, and the Web server, has many variables that can is used by the script. One of the most common uses of a server variable is to retrieve the name of the script itself or, as in the example above, The name of the host.
PHP creates additional associative arrays as $HTTP _env_vars and $HTTP _server_vars. After PHP 4.1.0, this same arrays are defined in $_env and $_server.
Use the superglobals!
Now so you understand how these variables get to PHP, and that they are not automatically created for your by PHP when th e register_globals setting off, it are time to identify what you can does with your coding style to adjust to the new default .
Your the new Superglobal arrays of the choice-A, after all, which is, what they were added This should is your preferred method, especially if you are intend to use the value once in your script (print ' Your IP A Ddress is: '. $_server[' REMOTE_ADDR ']; ).
If you are intend to use a value for more than once, you can assign the value to a variable ($mode = $_get[' mode ';) instead of E xplicitly referencing the Superglobal each time.
Why are they called superglobals?
Normally, any variable used into a function is the local in scope. This is means if you wanted to use the global $HTTP _get_vars array values in a function and you would need to the stat Ement Global $HTTP _get_vars; Before referencing this array.
Superglobals are an exception. You would use the variables $_get, $_post, $_cookie, $_env, $_server and $_session without have to reference them as Globa LS-A. There is also one additional Superglobal array, $_request. This array contains the "variables from", POST or COOKIE methods (basically anything that could is sent by the US Er, and which is therefore suspect).
Note:you cannot use a variable variable to access the Superglobal arrays in functions. For example, the following code would not work:
The Foo () function described above won't return values from the $_get superglobal array.
Other coding techniques
I found myself wanting to revert back to the easy way of have my variables registered for me. However, knowing the security risks, I instead wrote some helper functions to ease the transition.
The I wrote was register ():
<?php
/**
* Return a value from the global arrays
*
* @author Jason E. Sweat
* @since 2002-02-05
* @param string $varname
* The name of the variable to register
*
* @param string $defval Optional
* The value to return if not found
*
* @return String The value of the variable if
* Registered, else the default
*/
function register ($varname, $defval =null)
{
if (Array_key_exists ($varname, $_server)) {
$retval = $_server[$varname];
} elseif (Array_key_exists ($varname, $_cookie)) {
$retval = $_cookie[$varname];
} elseif (Array_key_exists ($varname, $_post)) {
$retval = $_post[$varname];
} elseif (Array_key_exists ($varname, $_get)) {
$retval = $_get[$varname];
} elseif (Array_key_exists ($varname, $_env)) {
$retval = $_env[$varname];
} else {
$retval = $defval;
}
return $retval;
}
?>
This function is now allows your to "register" variables your expect to have passed to the script. I normally by doing $mode = Register (' mode ');. The function is defined to follow the default Variables_order parameter from the php.ini file (http://www.php.net/manual/e N/configuration.php#ini.variables-order), and therefore'll return of identical to PHP with Register_globals on ( If assigned to a variable with the same name as for you are registering). This function also allows your to specify a default value for your would like to have the variable and if the value Is isn't found in the superglobal arrays.
This function had one drawback, it would always return a value, and therefore always initialize a variable to something. I had some instances in the I code where I wanted to use Isset () to determine if a value had been. In order to accommodate this behavior, I used a different function to register the values.
<?php
/**
* Set a global variable if the specified get
* or post var exists
*
* @author Jason E. Sweat
* @since 2002-04-25
* @param string $test _vars
* The array of the VARs to
* Register, would accept a string
* Name for a single Var as
*
* @global the variable, if it is set
*/
function Getpost_ifset ($test _vars)
{
if (!is_array ($test _vars)) {
$test _vars = Array ($test _vars);
}
This function would allow to register with the strings for variables. If any of the variable were passed in either the Get or POST methods, they'll be set as global values, otherwise to you wil L still be able to check the values using Isset () to the if they were passed.
This function is also particularly good to writing a form handler script since you can initialize an array of values Easi Ly (Getpost_ifset Array (' username ', ' password ', ' Password2 ')).
Ways to Hack
I can already hear the excuses: "I don ' t have enough time", or "the" "The" "The" "The" program is third party code and I don't want to learn and maintain it ".
If you must hack your way around the register_globals out default value, I would suggest reading up on the Import_request_ Variables () function (http://www.php.net/manual/en/function.import-request-variables.php) or reviewing some of the Reader posted comments related to the Extract () function (http://www.php.net/manual/en/function.extract.php).
Summary
You are should now to familiar with the various means of getting to a PHP script, and a variables of variety coding Available to the "accommodate" the change of the register_globals default "from" to "off". Best of luck to and happy (and secure) coding!
About the Author
Jason has worked as a IT professional since graduating from Colorado state University in 1992. He's currently an application developer, and the Web master, for a business unit of fortune, and maintains A server at home for educational and home business purposes. He currently resides in Iowa with his wife and two children. Comments or questions below, or send them to jsweat_php@yahoo.com.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.