Verwendung von Register Globals

Warnung

Dieses Feature ist seit PHP 5.3.0 DEPRECATED (veraltet). Sich auf dieses Feature zu verlassen ist in keiner Weise empfehlenswert.

Ein Feature von PHP zur Erhöhung der Sicherheit ist die Konfiguration von PHP mit register_globals = off. Mit Deaktivierung der Möglichkeit, irgendeine vom Benutzer übertragenen Variable in den PHP Code zu injizieren, können Sie die Anzahl "vergifteter" Variablen reduzieren, welche ein potentieller Angreifer zufügen könnte. Dieser benötigt mehr Zeit, um sich Übermittlungen auszudenken, und Ihre internen Variablen sind effektiv von den übergebenen Benutzervariablen isoliert.

Während dies den benötigten Aufwand mit PHP zu arbeiten leicht erhöht ist dargelegt, dass die Vorteile gegenüber dem Aufwand klar überwiegen.

Beispiel #1 Mit register_globals=on arbeiten

<?php
if ($username) {  // kann vom User mit get/post/cookies übermittelt werden
    
$good_login 1;
}

if (
$good_login == 1) { // kann vom User mit get/post/cookies übermittelt werden
    
fpassthru ("/highly/sensitive/data/index.html");
}
?>

Beispiel #2 Mit register_globals = off arbeiten

<?php
if($_COOKIE['username']){
    
// kann nur von einem Cookie kommen
    
$good_login 1;
    
fpassthru ("/highly/sensitive/data/index.html");
}
?>
Dies weise genutzt ist es auch möglich, präventive Messungen durchzuführen, um bei versuchten Vorstößen zu warnen. Wenn Sie im Voraus wissen, woher eine Variable kommen soll, können Sie prüfen, ob die übermittelten Daten nicht einen unpassenden Weg genommen haben. Obwohl dies nicht garantiert, dass Daten nicht nur ausgedacht sind, erfordert es von einem Angreifer, auch den richtigen Weg zu finden.

Beispiel #3 Entdecken einfacher Manipulationen von Variablen

<?php
if ($_COOKIE['username'] &&
    !
$_POST['username'] &&
    !
$_GET['username'] ) {
    
// Durchführen anderer Checks, ob der Benutzername gültig ist...
    
$good_login 1;
    
fpassthru ("/highly/sensitive/data/index.html");
} else {
   
mail("admin@example.com""Possible breakin attempt"$_SERVER['REMOTE_ADDR']);
   echo 
"Security violation, admin has been alerted.";
   exit;
}
?>
Natürlich bedeutet ein einfaches Deaktivieren von register_globals nicht, dass Ihr Code nun automatisch sicher ist. Jeder Teil mit Daten sollte auch auf andere Arten geprüft werden. Überprüfen Sie immer die Eingaben von Benutzern und initialisieren Sie Ihre Variablen! Um Ihre Skripte auf nicht initialisierte Variablen zu prüfen, können Sie error_reporting() so einstellen, dass Fehler des Levels E_NOTICE angezeigt werden.

Sie knnen die On und Off Einstellungen von register_globals emulieren, nheres hierzu finden Sie in den FAQ.

Hinweis: Superglobals: Hinweis zur Verfügbarkeit

Seit PHP 4.1.0 stehen superglobale Arrays wie $_GET, $_POST,$_SERVER, etc. zur Verfügung. Weitere Informationen können Sie dem Abschnitt zu superglobals entnehmen.

add a note add a note

User Contributed Notes 12 notes

up
69
lester burlap
8 years ago
It would make this whole issue a lot less confusing for less-experienced PHP programmers if you just explained:

- $myVariable no longer works by default
- $_GET['myVariable'] works just fine

I'm embarrassed to say it's taken me six months since my ISP upgraded to PHP5 figure this out.  I've completely rewritten scripts to stop using GET variables altogether.

I'm dumb.
up
16
claude dot pache at gmail dot com
8 years ago
Beware that all the solutions given in the comments below for emulating register_global being off are bogus, because they can destroy predefined variables you should not unset. For example, suppose that you have

<?php $_GET['_COOKIE'] == 'foo'; ?>

Then the simplistic solutions of the previous comments let you lose all the cookies registered in the superglobal "$_COOKIE"! (Note that in this situation, even with register_global set to "on", PHP is smart enough to not mess predefined variables such as  $_COOKIE.)

A proper solution for emulating register_global being off is given in the FAQ, as stated in the documentation above.
up
4
tomas at hauso dot sk
1 year ago
for PHP5.4+ you can use registry pattern instead global

final class MyGlobal {
    private static $data = array();

    public static function get($key) {
        return (isset(static::$data[$key]) ? static::$data[$key] : null);
    }

    public static function set($key, $value) {
        static::$data[$key] = $value;
    }

    public static function has($key) {
        return isset(static::$data[$key]);
    }

}
// END OF CLASS

$var1 = 'I wanna be global';

MyGlobal::set('bar', $var1 ); // set var to registry

function foo(){
    echo MyGlobal::get('bar'); // get var from registry
}

foo();
up
9
elitescripts2000 at yahoo dot com
4 years ago
<?php

/* Forces all GET and POST globals to register and be magically quoted.
* This forced register_globals and magic_quotes_gpc both act as if
* they were turned ON even if turned off in your php.ini file.
*
* Reason behind forcing register_globals and magic_quotes is for legacy
* PHP scripts that need to run with PHP 5.4 and higher.  PHP 5.4+ no longer
* support register_globals and magic_quotes, which breaks legacy PHP code.
*
* This is used as a workaround, while you upgrade your PHP code, yet still
* allows you to run in a PHP 5.4+ environment.
*
* Licenced under the GPLv2. Matt Kukowski Sept. 2013
*/

if (! isset($PXM_REG_GLOB)) {

 
$PXM_REG_GLOB = 1;

  if (!
ini_get('register_globals')) {
    foreach (
array_merge($_GET, $_POST) as $key => $val) {
      global $
$key;
      $
$key = (get_magic_quotes_gpc()) ? $val : addslashes($val);
    }
  }
  if (!
get_magic_quotes_gpc()) {
    foreach (
$_POST as $key => $val) $_POST[$key] = addslashes($val);
    foreach (
$_GET as $key => $val$_GET[$key]  = addslashes($val);
  }
}

?>
up
5
arman_y_92 at yahoo dot com
3 years ago
To all those fans of this insecure functionality (which I'm glad is now turned off by default) , you can just use extract() to achieve a similar goal more securely (unless you overwrite local variables with $_GET or $_POST data).
up
2
thewordsmith at hotmail dot com
2 years ago
//Some servers do not have register globals turned on. This loop converts $_BLAH into global variables.
foreach($_COOKIE as $key => $value) {
    if(!is_array($value)){
        ${$key} = trim(rawurldecode($value));
        //echo "$key $value<br>";
    }
    else{
        ${$key} = $value;
    }
}
foreach($_GET as $key => $value) {
    if(!is_array($value)){
        ${$key} = trim(rawurldecode($value));
        //echo "$key $value<br>";
    }
    else{
        ${$key} = $value;
    }
}
foreach($_POST as $key => $value) {
    if(!is_array($value)){
        ${$key} = trim(rawurldecode($value));
        //echo "$key $value<br>";
    }
    else{
        ${$key} = $value;
    }
}
foreach($_REQUEST as $key => $value) {
    if(!is_array($value)){
        ${$key} = trim(rawurldecode($value));
        //echo "$key $value<br>";
    }
    else{
        ${$key} = $value;
    }
}
foreach($_SERVER as $key => $value) {
    if(!is_array($value)){
        ${$key} = trim(rawurldecode($value));
        //echo "$key $value<br>";
    }
    else{
        ${$key} = $value;
    }
}
up
-1
chirag176 at yahoo dot com dot au
2 years ago
$mypost = secure($_POST);

function AddBatch($mypost,$Session_Prefix){
...
}
up
-6
Ruquay K Calloway
9 years ago
While we all appreciate the many helpful posts to get rid of register_globals, maybe you're one of those who just loves it.  More likely, your boss says you just have to live with it because he thinks it's a great feature.

No problem, just call (below defined):

<?php register_globals(); ?>

anywhere, as often as you want.  Or update your scripts!

<?php
/**
* function to emulate the register_globals setting in PHP
* for all of those diehard fans of possibly harmful PHP settings :-)
* @author Ruquay K Calloway
* @param string $order order in which to register the globals, e.g. 'egpcs' for default
*/
function register_globals($order = 'egpcs')
{
   
// define a subroutine
   
if(!function_exists('register_global_array'))
    {
        function
register_global_array(array $superglobal)
        {
            foreach(
$superglobal as $varname => $value)
            {
                global $
$varname;
                $
$varname = $value;
            }
        }
    }
   
   
$order = explode("\r\n", trim(chunk_split($order, 1)));
    foreach(
$order as $k)
    {
        switch(
strtolower($k))
        {
            case
'e':    register_global_array($_ENV);        break;
            case
'g':    register_global_array($_GET);        break;
            case
'p':    register_global_array($_POST);        break;
            case
'c':    register_global_array($_COOKIE);    break;
            case
's':    register_global_array($_SERVER);    break;
        }
    }
}
?>
up
-5
moore at hs-furtwangen dot de
9 years ago
I had a look at the post from Dice, in which he suggested the function unregister_globals(). It didn't seem to work - only tested php 4.4.8 and 5.2.1 - so I made some tweaking to get it running. (I had to use $GLOBALS due to the fact that $$name won't work with superglobals).

<?php
//Undo register_globals
function unregister_globals() {
    if (
ini_get('register_globals')) {
       
$array = array('_REQUEST', '_FILES');
        foreach (
$array as $value) {
            if(isset(
$GLOBALS[$value])){
                foreach (
$GLOBALS[$value] as $key => $var) {
                    if (isset(
$GLOBALS[$key]) && $var === $GLOBALS[$key]) {
                       
//echo 'found '.$key.' = '.$var.' in $'.$value."\n";                   
                       
unset($GLOBALS[$key]);
                    }
                }
            }
        }
    }
}
?>

The echo was for debuging, thought it might come in handy.
up
-3
steve at dbnsystems dot com
1 year ago
The following version could be even faster, unless anyone may come with a good reason why this wouldn't be a good practice:

<pre>
function unregister_globals() {
    if (ini_get(register_globals)) {
        $array = array('_REQUEST', '_SESSION', '_SERVER', '_ENV', '_FILES');
        foreach ($array as $value) {
            $$value = [];
        }
    }
}
</pre>
up
-10
chirag
2 years ago
Fatal error: Cannot re-assign auto-global variable _POST

Final Solution for php 5.4 and above version

$a =  $_POST;
function add($_POST;){
echo $_POST['a'];
echo $_POST['b'];
}
add($a);
up
-19
Dice
9 years ago
To expand on the nice bit of code Mike Willbanks wrote and Alexander tidied up, I turned the whole thing in a function that removes all the globals added by register_globals so it can be implemented in an included functions.php and doesn't litter the main pages too much.

<?php
//Undo register_globals
function unregister_globals() {
    if (
ini_get(register_globals)) {
       
$array = array('_REQUEST', '_SESSION', '_SERVER', '_ENV', '_FILES');
        foreach (
$array as $value) {
            foreach (
$GLOBALS[$value] as $key => $var) {
                if (
$var === $GLOBALS[$key]) {
                    unset(
$GLOBALS[$key]);
                }
            }
        }
    }
}
?>
To Top