Web site optimization - 540Part IIIAdvanced Features and TechniquesRegister GlobalsThe PHP master
540Part IIIAdvanced Features and TechniquesRegister GlobalsThe PHP master configuration file, php.ini, offers a configuration directive, register_ globals,which controls how PHP recognizes and uses variables passed to it. With the valueof register_globalsset to on, external variables from sources such as forms, cookies, ses- sions, and urls are passed directly to, and used without extra manipulation by, a receivingPHP script. Prior to PHP4.2.0, this was the default setting. While this presents a certain levelof coding convenience and simplicity, it s not such a good idea. The PHP team benevolentlyoffers you the choice of registering globals or not, but they have clearly announced theirintention to remove the option sooner rather than later. What does it mean to register globals exactly? In a larger sense, a global is any variable orconstant that persists outside of the scope in which it is initialized. For example, passing avariable value of socks from a form field named clothes in one script results in the vari- able $clotheswith the value socks being directly available in the processing script. Thisdirect availability is dependent on the registration of these variables as they become available. There are, however, some potential drawbacks, some of them security related, in registeringglobal variables in this way. The first and perhaps most significant possibility is that variables from one source may over- write variables from some other source. Consider, by way of example, the following form:
You can probably see the problem here almost immediately in that $clotheshas been definedtwice, and since it is not an array, the value of clothesdefined in the GET-style ACTIONattribute will be overwritten by the user-entered value POSTed by the form. Potentially moreseriously, if a cookie with that name has been defined, it will overwrite the POSTvariable. Youcan instruct PHP, again via the php.inifile, to evaluate variables in a different order; but thenet effect of that is to simply reorder the problem; not to solve it. It doesn t, for example, allowyou to have two variables of the same name. This issue provides a couple of different avenuesthrough which Web site visitors of malicious intent could set variables for themselves andpossibly slip undesirable data into your applications. However, with the value of register_globalsset to off, a different situation emerges. Insteadof being immediately imported into the global scope, variables are stored in one of a numberof arrays, each named for the environment that supplies it. These associative arrays are: $_GET$_POST$_SESSION$_FILES$_COOKIETheir respective variables are accessed as indices in the array; for example, a POSTform vari- able from the preceding example would be $_POST[clothes]. But because we aren t register- ing globals, we would also have $_GET[clothes]and possibly $_COOKIE[ clothes ], eachwith its own intact values. Whether or not you would actually need to, or even should, namevariables in this way is debatable, but there are other advantages to insuring register_globalsis set to off.