PHP REGISTER_GLOBALS turned off? Hack It Back

by Carey on November 6, 2010

Post image for PHP REGISTER_GLOBALS turned off? Hack It Back

For those of you that don’t know, REGISTER_GLOBALS is a PHP directive that when enabled automatically initialises variables with the values from forms, session, GET etc.

For example, the data a login form with the input fields named “username” and “password” will automatically be available as $username and $password.

REGISTER_GLOBALS is, in my opinion, bad practice and should be avoided – but this is a seperate debate.

If you are moving a web application or PHP is ugraded/changed and you have no control over the configuration of REGISTER_GLOBALS, the following hack will help:

{code type=php}
foreach ($_GET as $key => $item)
{
$$key = $item;
}
{/code}

This will loop through each GET value and assign it to a local variable. You can use this same logic for $_POST, $_SESSION etc. by replaceing $_GET in the foreach loop.

This code is intended for applications that need a temporary solution, are in a closed environment or are in testing. I do not recommend using REGISTER_GLOBALS or this hack in a public application.

Before PHP 4.2.0 REGISTER_GLOBALS was set to ON by default. Most hosts will now have REGISTER_GLOBALS disabled.

{ 4 comments… read them below or add one }

Olaf January 3, 2007 at 7:20 am

Hi,

naming vars like this is a great and easy way to bypass the directive.

But these kind of fixes have the result that people doesn’t program for modern web server (PHP5).

Reply

Carey January 3, 2007 at 12:34 pm

You are right that it is not good practice going forward – it should only be used as a temporary solution.

Reply

SignpostMarv Martin August 22, 2007 at 3:29 am

Or, you know, you could extract($_GET);

Much quicker.

Reply

Steven Richards September 13, 2008 at 2:09 am

What SignpostMarv Martin said. Also, extract() is safer because it will check for variable naming issues and will check for collisions if you specify the EXTR_SKIP parameter for its extraction type.

extract($_GET, EXTR_SKIP);

http://www.php.net/extract

Reply

Leave a Comment

Previous post:

Next post: