$var instead of $_GET['var'] in PHP?

Question

Ok I cannot remember the details on this but on some servers you can use

$var instead of $_GET['var'] to access a variable in the URL, I know this is BAD but I can't remember why it is bad?

score 8 · Accepted Answer · answered Sep 21 '09 at 22:12

I think you mean Register Globals.

You shouldn’t use them because you cannot distinguish the source of that variable values since they can come from any source of the EGPCS variables (Environment, GET, POST, Cookie, Server).

So if you have a the $var, you cannot say if the value is either from $_ENV['var'], $_GET['var'], $_POST['var'], $_COOKIE['var'] or $_SERVER['var'].

score 7 · Answer 2 · answered Sep 21 '09 at 22:11

7

The feature is called Register Globals and it allows people to inject variables into your code. See the documentation for examples; here's one:

<?php
// define $authorized = true only if user is authenticated
if (authenticated_user()) {
    $authorized = true;
}

// Because we didn't first initialize $authorized as false, this might be
// defined through register_globals, like from GET auth.php?authorized=1
// So, anyone can be seen as authenticated!
if ($authorized) {
    include "/highly/sensitive/data.php";
}
?>

answered Sep 21 '09 at 22:11

RichieHindle

272,464
47
358
399

That’s not the reason. Although using undefined variables in not a good style neither. But if you use `$authorized = false;` to set the default value, you won’t have that problem. – Gumbo Sep 21 '09 at 22:15
@Gumbo: The PHP documentation puts this at the top of its list of reasons. – RichieHindle Sep 21 '09 at 22:20
3

@Gumbo That's exactly the point, though - you have to remember to set the default value, for everything at all sensitive. Without register_globals, there's a lot less risk - forgetting to set it to false doesn't make an exploit possible. – ceejayoz Sep 21 '09 at 22:41
1

There are multiple reasons why register_globals is bad, and this is a good one. @Gumbo, do you think your average PHP coder would know to initialize default values? – We Are All Monica Sep 21 '09 at 23:32

score 2 · Answer 3 · answered Sep 21 '09 at 22:11

2

You can use that if your server has register_globals set to 1 (or true) on the php.ini file.

At some point, this started to be off by default, and applications started to break, which is a reason why this is a bad practice.

You can see a list of php.ini variables here.

answered Sep 21 '09 at 22:11

pgb

24,813
12
83
113

1

"Because having it off breaks applications" isn't a very good reason. Variable injection and not being able to distinguish between types of request/environment variables are the two main ones. – We Are All Monica Sep 21 '09 at 23:28

score 1 · Answer 4 · answered Sep 21 '09 at 22:12

1

It's also bad because you can confuse yourself with the way that PHP will scope your variables. You may wind up overwriting data if you aren't careful. Also, using $_GET is much clearer as to what you are attempting to accomplish.

answered Sep 21 '09 at 22:12

Topher Fangio

20,372
15
61
94

score 1 · Answer 5 · answered Sep 21 '09 at 22:12

1

Because letting people inject values into arbitrary variables is a very bad thing. You could be storing anything there and they could overwrite some value that compromises your security. Remember to use isset to check that a value has been set before trying to use it.

answered Sep 21 '09 at 22:12

Joe

46,419
33
155
245

1

isset() won't help - if register_globals is on and the client does something like page.php?var=1 - then isset($var) will still return true. – We Are All Monica Sep 21 '09 at 23:30
Sorry I meant before you use $_GET . I assumed the OP wasn't going to use register globals. – Joe Sep 22 '09 at 07:05

score 1 · Answer 6 · answered Sep 21 '09 at 22:13

1

It's bad because if you're not careful to initialize every variable before you use it (something that PHP won't force you to do), people can easily cause your code to do Very Bad Things with a request as simple as /myapp/index.php?admin_privileges=1.

answered Sep 21 '09 at 22:13

hobbs

223,387
19
210
288

score 0 · Answer 7 · edited May 23 '17 at 12:29

0

The setting is called REGISTER_GLOBALS and it was discussed here:

Why is REGISTER_GLOBALS so bad?

edited May 23 '17 at 12:29

Community

1
1

answered Sep 21 '09 at 22:12

Olivier 'Ölbaum' Scherler

2,106
15
17

(which you couldn't find if you didn't know/remember the name of the setting) – Olivier 'Ölbaum' Scherler Sep 21 '09 at 22:14

score 0 · Answer 8 · answered Sep 21 '09 at 22:13

If you can do that, then "register_globals" is turned on. This is bad because you won't know where a variable came from, and it mixes your variables with the ones any user can inject via the URL. Read more here: http://www.php.net/manual/en/security.globals.php

score 0 · Answer 9 · answered Sep 21 '09 at 22:20

0

Once you get used to using $_POST, $_GET, etc your code's purpose will be easier to read and much, much easier to maintain.

answered Sep 21 '09 at 22:20

Citizen

12,430
26
76
117

score 0 · Answer 10 · answered Sep 21 '09 at 22:33

Register globals would work but it's going to go away in a future version of PHP. Not to mention that it really is wrong to have it enabled.

You can use extract() for a more controlled behavior. It will extract the keys from an array (in this case, $_GET) into the local context as variables. You can give them a common prefix so that they don't collide with your existing variables. And you can filter the array beforehand to make sure you're only getting the expected variables.

int extract( $var_array [, $type = EXTR_OVERWRITE [, $prefix  ]] )
Import variables from an array into the current symbol table.

$var instead of $_GET['var'] in PHP?

10 Answers10