PHP v4.2.x and register_globals: Coding the new way
So, you are a PHP programmer or you want to learn PHP? Well this article concerns the first ones who already have some experience with PHP. If you want to learn PHP.. buy a book! (You will find many @ http://www.php.net/books.php)
What is this article all about?
This article has to do with the register_globals option which has been changed to PHP v4.2.0 and newer. Let's assume that we have the following form to our website:
<form action="action.php" method="post">
<input type="text" name="yourname">
<input type="submit">
</form>
Until v4.2.0 you could parse this information at action.php like this:
<?
print("Your name is ");
print($yourname);
?>
But now PHP Team has changed an attribute in php.ini file. This attribute is register_globals which is now set to off. This means that you may no longer parse forms like the way we saw above.
Now let's assume that we have a url like this:
http://www.domain.com/file.php?name=Nick
Until v4.2.0, again, you could parse this information at file.php like this:
<?
print("Your name is ");
print($name);
?>
When we submit a variable throught a URI is identical if we submit a form with method set to get.
Why has PHP Team changed the way we can parse forms?
Well, they were forced to set register_globals to off for security reasons. I'll show an example what could happened if register_globals is set to on. Let's assume that you have a website and a section that has been made for members only. This could require a username and/or a password:
members.html
<html>
<head>
<title>Access Only For Members</title>
</head>
<body>
Please login first.<br>
<form action="action.php" method="post">
<input type="text" name="user"><br>
<input type="password" name="pass"><br>
<input type="submit">
</form>
</body>
</html>
action.php
<?
if(($name == "nick") && ($pass == "nickpwd"))
{
$is_authorized = true;
}
else
{
print("You are not authorized to view this page, or you misspelled your username and/or password. Please Try again...<br>\n");
print("<a href=\"login.html\">go back</a>\n"); exit;
}
if($is_authorized)
{
/* Your member page goes here */
}
?>
The member page can be easily accessed if you add the following line to the URL: is_authorized=1, so it becomes: http://www.server.com/action.php?is_authorized=1 and you can view the "secret" page.
So what's the solution to this "problem"?
PHP has changed the way that we can parse the form. Remember the form we used in the beginning of the article? Use the following code to print the results to the screen.
<?
print("Your name is ");
print($_POST['yourname']);
?>
If the form was submitted with the get method then we must use this code:
<?
print("Your name is ");
print($_GET['yourname']);
?>
If we'd like to print a message that is "attached" to the URl (e.g. http://www.domain.com/page.php?show=Hello) (which PHP parse identically with the get method), then we must use:
<?
print("Your name is ");
print($_GET['show']);
?>
This new variables are called Predefined Variables and they are used also for retrieving content for Cookies ($_COOKIE['cookiename']), Sessions, ($_SESSION['sessionname']), Information provided by the webserver ($_SERVER['varname']) and Enviroment ($_ENV['varname'])
That's it for register_globals in PHP v4.2.x and newer. You can find more information at PHP's official page.