Re: PHP and "Register_Globals"

["Chris Travers" <chris () travelamericas com>]

My favorite solution is to write a registration module at the beginning of a
file (and use include_once) to extract the cookie/session/Get/Post values in
whatever order you want to declare.  This can be used to override settings
which could also cause unexpected behavior in your application.

See http://www.php.net/manual/en/function.extract.php for more details on
the extract command.  You can write such a module to your own
specifications.  This can also be used to prevent non-standard ordering of
registering globals from causing unexpected behavior in your application.

Best Wishes,
Chris Travers

----- Original Message -----
From: "Ulrich P." <spam () wir-sind org>
To: <webappsec () securityfocus com>
Sent: Saturday, March 29, 2003 9:57 AM
Subject: PHP and "Register_Globals"


> hello,
>
> newer php-versions have set "register_globals" to "off" by default. i
> programmed a huge php-project during the last year and didn't start
> using the global POST and GET-arrays, so if a form contains <input
> type=text name=age> if use $age in my scripts.
>
> I soon realized the security issues, and wrote my own
> validation-functions, ... to handle all the XSS and SQL-injection
problems.
> my question is now: my app is 'safe', but what do I do if my future
> webhost has register_globals to 'off'?
>
> would it be possible to write a script that registers the whole
> POST-array as single variables? simply as it used to be in 'older'
> PHP-versions?
>
> any ideas welcome :)
>
>
> regards,
>
> Ulrich