On Sun, 2 Feb 2003, Pat Johnston wrote: > I've read that an include file in each of your pages with the lines below > should do the trick for you with register_globals OFF.. > > Not sure if this is a valid way to go though... > > <?php > extract($_SERVER); > extract($_ENV); > extract($_GET); > extract($_POST); > extract($_REQUEST); > ?>
Whoever told you this should be shot as this is an enormous security hole! The above is a security hole much larger than register_globals could ever hope to be. That and it's silly to attempt to mimic register_globals at runtime. The above is insecure in that it will overwrite web server variables ($_SERVER) with request variables such as those from $_GET. This is TERRIBLE!!! Just imagine this as just an example: http://www.example.com/a.php?PHP_SELF=http://www.foo.com In the above scenerio, this would create $PHP_SELF first from $_SERVER then it'd be overwritten by the $_GET and than by the $_REQUEST that had the GET in it. So this makes it inefficient and insecure :) A better example exists but anyway this should show a nice point (like maybe PHP_AUTH_PW or REMOTE_USER). Anyway, sorry for the rant but it's just that whoever told you that should not tell anyone anything related to this topic. The best options are: a) rewrite the code or b) set register_globals with .htaccess or php.ini or in virtualhost in httpd.conf http://www.php.net/manual/en/configuration.changes.php Now if you must set it at runtime (please do not do this) then you could try this: // THIS IS NOT RECOMMENDED if (!ini_get('register_globals')) { $types_to_register = array('GET','POST','COOKIE', 'SESSION','SERVER'); foreach ($types_to_register as $type) { if (@count(${'HTTP_' . $type . '_VARS'}) > 0) { extract(${'HTTP_' . $type . '_VARS'}, EXTR_OVERWRITE); } } } // THIS IS NOT RECOMMENDED Although it doesn't depend on the variables_order directive like register_globals does, it is flexible. Keep in mind that variables are written from first to last so you certainly don't want GET coming after SERVER. Regards, Philip > "Davy Obdam" <[EMAIL PROTECTED]> wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > Hello people, > > > > On my development machine (win XP/Apache 2.0.44/PHP 4.3.0/MySQL 3.23.55) > > i have several websites that i made some time ago that require register > > globals to be On in the php.ini. Ofcourse i know thats not a good idea > > at all for security, but rewriting all this code is not an option. > > However in my php.ini i have set register globals to Off because that > > better. Is it possible to configure my webserver/php so that only those > > sites that require register globals to be On have that setting, for > > instance in a .htacces file?? Any help is appreciated:-) > > > > Best regards, > > > > Davy Obdam > > mailto:[EMAIL PROTECTED] > > > > > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > -- PHP Windows Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
