We help IT Professionals succeed at work.

turn register_globals off on cgi PHP installs (non Apache Module)

jonlondon12
jonlondon12 asked
on
Medium Priority
287 Views
Last Modified: 2008-02-01
Hello guys,

I really need to have register_globals switched off on my site and my host has it switched on. I realise that if the host has PHP installed as an Apache module then I can switch it off via a .htaccess file on a per-site basis. However, my host uses the cgi implementation of PHP therefore I do not have a valid method of turning this setting off.

Any ideas how I can get around this?

Thanks
Comment
Watch Question

Richard QuadlingSenior Software Developer

Commented:
Hmm.

Not easily.

The register globals option occurs BEFORE your script is executed, so by the time the script starts you already have the array populated.

But, you could do some cleaning.

All you need to do is to protect the super globals.

$_FILES, $_COOKIE, $_POST, $_GET, $_SERVER, $_ENV, $_SESSION.

The $_REQUEST is, in effect, an amalgum of some of the above (depending upon the server setup).

$GLOBALS is the global array.

So, you could do something like this ...

<?php
// Remove ALL non super global variables.
foreach($GLOBALS as $s_variable_name => $m_variable_value)
 {
 if (!in_array(array('_FILES', '_COOKIE', '_POST', '_GET', '_SERVER', '_ENV', '_SESSION'))
  {
  unset($GLOBALS[$s_variable_name]);
  }
 }
// Continue with your script.
?>

Richard QuadlingSenior Software Developer

Commented:
Ok.

This will need extending to include (maybe), argv and argc, if a CGI or CLI environment is also supported.

Also, if you use an auto_prepend_file or auto_append_file entry in .htaccess / php.ini then you will need to exclude any variables you use there too.

On my machine ...

<?php
foreach($GLOBALS as $s_name => $m_value)
 {
 echo "$s_name\n";
 }
?>

GLOBALS
_ENV
argv
argc
_POST
_GET
_COOKIE
_SERVER
_FILES
_REQUEST
am_default_context
r_default_context
m_value
s_name


Richard QuadlingSenior Software Developer

Commented:
Bloody hell. I'm a ZCE and somehow, today, I'm supplying BAD code.

Sorry.

Ok. Here is a TESTED example.

<?php
// Define a junk variable.
$s_junk = 'Something from register_globals maybe.';

// See what GLOBALS contains.
echo "Before\n";
foreach($GLOBALS as $s_name => $m_value)
 {
 echo "$s_name\n";
 }

// Remove ALL non super global variables.
foreach($GLOBALS as $s_variable_name => $m_variable_value)
 {
 if (!in_array($s_variable_name, array('GLOBALS', 'argv', 'argc', '_FILES', '_COOKIE', '_POST', '_GET', '_SERVER', '_ENV', '_SESSION', 's_variable_name', 'm_variable_value')))
  {
  unset($GLOBALS[$s_variable_name]);
  }
 }
unset($GLOBALS['s_variable_name']);
unset($GLOBLAS('m_variable_value']);

// See what GLOBALS contains.
echo "\n\nAfter\n";
foreach($GLOBALS as $s_name => $m_value)
 {
 echo "$s_name\n";
 }

?>

This produces output of ...

Before
GLOBALS
_ENV
argv
argc
_POST
_GET
_COOKIE
_SERVER
_FILES
_REQUEST
am_default_context <<<< For me, this should be protected as it is the data array for my global default context to route PHP fopen() through the proxy server.
r_default_context <<<< For me, this should be protected as it is the global default context to route PHP fopen() through the proxy server.
s_junk <<<<< Should be missing after the clean up.
m_value <<<< Used to show the BEFORE
s_name <<<< User to show the BEFORE


After
GLOBALS
_ENV
argv
argc
_POST
_GET
_COOKIE
_SERVER
_FILES
m_value <<<< Used to show the AFTER
s_name <<<< Used to show the AFTER

Author

Commented:
Hey Thanks Richard, thats a lot of help you've given me and it's much appreciated.

The main reason I need register_globals switched off is because I believe it is this setting that is giving me problems accessing objects that are stored in sessions.

For example,

            $_SESSION['page']=unserialize($_SESSION['page']);
            $pageName=$_SESSION['page']->getName();
            $windowTitle=$_SESSION['page']->getWindowTitle();
            $HTML=$_SESSION['page']->getContent();
            $_SESSION['page']=serialize($_SESSION['page']);

gives the following error:

Fatal error: Call to a member function on a non-object

This is not a problem on my local test machine where register_globals are switched off.
Senior Software Developer
Commented:
This is in the PHP Manual on "Serializing objects - objects in sessions" ...

"If you are using sessions and use session_register() to register objects, these objects are serialized automatically at the end of each PHP page, and are unserialized automatically on each of the following pages. This basically means that these objects can show up on any of your pages once they become part of your session.

It is strongly recommended that you include the class definitions of all such registered objects on all of your pages, even if you do not actually use these classes on all of your pages. If you don't and an object is being unserialized without its class definition being present, it will lose its class association and become an object of class stdClass without any functions available at all, that is, it will become quite useless.

So if in the example above $a became part of a session by running session_register("a"), you should include the file classa.inc on all of your pages, not only page1.php and page2.php."

You've probably read this, but it is still worth repeating, just in case you are not familair with it.

Personally, I would NOT ...

$_SESSION['page']=unserialize($_SESSION['page']);

I would ...

$o_class_name_here_and_instance_name_here = unserialize($_SESSION['page']);

e.g..

$o_page_current = unserialize($_SESSION['page']);

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Richard QuadlingSenior Software Developer

Commented:
By using an __autoload() function you can remove the necessity of including all the require/include_once()'s in your code.

Take a look at my user notes on __autoload http://www.php.net/manual/en/language.oop5.autoload.php
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.