Home
Home Page
The analysis of attendance of a site referrals
JavaScript Selections (job with vydelenijami)
Emulation of register_globals on directive
Server scripts. Introduction
Modular programming on PHP or how to write a small portal
Creation of tables Excel by means PHP
Acknowledgement{Confirmation} of registration on RNR
The new approach to webs - applications
As through the form to put a file on the server
AJAX. do not repeat mistakes
Podgruzka the menu for a site with frames
Sending of files attachem
RSS-parser On PHP
Controllable feedback of files
MySQL is simply!
Asynchronous JavaScript and XML (AJAX)
AJA - AJAX without XML
How to write the AJAX-application
check the post address
Links
topic
 

Emulation of register_globals on directive

There is in PHP such interesting directive, under the name register_globals, certain{determined} in php.ini. The directive specifies to the compiler, that values of entering (global) variables should be withdrawn from their system files and to present as independent variables. Everything concerns to such data, that is passed in a script "outside": the data from forms, the data from URL, cookie and so on. Personally this directive is pleasant to me, for she saves time of a spelling of scripts and does{makes} their more readable. Compare, that looks more pleasantly and more conveniently for an eye:



Hello, dear <? = $ _COOKIE ['username']>>, we are glad to you!


Hello, dear <? = $username?>, we are glad to you!


In general, personally I like PHP basically for it  udobochitaemost` and a fast spelling.


Nevertheless, in each convenient chesspiece it is necessary taitsja any muck. Has not done without troubles and with registration of global variables. Inattentive programmers left in the scripts of a hole which could be found out and used on the part of the user. Easier speaking if the variable inside a script participated in job, but it was not established by the same script, she  could be established "outside", having passed its{her} name and value in a script through URL, cookie or still somehow.


This hole which have written down in the category " holes in PHP " personally I I think a hole in programming, instead of in language, has compelled developers PHP to recommend disconnect register_globals. That has been there and then perceived{recognized} the public as the guide to action: everyone began to switch off registration of global variables on the servers.


There can be it and it is not too bad, I shall not judge, in fact for the sake of safety sometimes erect and gorodjat is greater, than a code of the problem .


But general refusal of registration of global variables has led to to a new problem - many scripts should be copied almost from zero for it is necessary to check up every line, to find all used variables and to change them for the "protected" analogues.


As far as I understand, the similar problem , eventually, is reduced to that in the beginning of job of a script to appropriate{give} to habitual variables of their value from global files $ _REQUEST, $ _POST, $ _GET, $ _COOKIE, $ _SERVER, etc.


So to what I vedu. And to what... The Normal programmer should not suppose holes in the scripts similar to holes on the basis of automatic registration of global variables, but unless it will excite the manager of the server on whom is solved to place a code? No, it is it  he does not excite also is in own way right.


Therefore, if you have written to order the program with use of global variables, and the customer has decided to establish her  on the server where their registration anything will not work - for you a problem is forbidden.


If you have decided to transfer all projects on a new hosting, and the provider forbids to use registration of global variables - at you problems.


How to be? To not find tens, hundreds, and sometimes and thousand pages of a code in searches of use of global variables.


I offer the following decision. It is necessary to emulate simply job register_globals in one separately taken script or in the beginning object-oriented strkutury.


As it to make. Yes not so and it is difficult. Let's argue logically: names of variables and their values contain in corresponding global files. As a rule, the file $ _REQUEST which unites in itself all variables GET, POST and COOKIE is used. I.e. everything, that with what scripts work is passed a script from a browser.


Means, it is necessary to take names of variables from a file, values of variables and to appropriate{give} to the first - the second. To take - not a problem, for this purpose function perebora all cells of a file foreach () will approach but how to appropriate{give}? If at us in $ _REQUEST [username] contains "atos" as programmno to create a variable $username with value "atos"? We cannot know beforehand, what names of variables will be in a file $ _REQUEST.


Here we will be helped by amazing function eval () which is seldom used in usual programming, but is literally irreplaceable in some cases. About the function it is necessary to write separately, therefore I shall say only a pair of words for those who is not familiar with her.


Function eval () forces PHP to consider{examine} the ordinary text contained in a variable, as a fragment of a PHP-code. Speaking language of examples, results of job of lines



echo ' Hello, User! ';

eval (" echo \'Hello, User! \ '; ")


Will be identical.


eval () also will help us to declare all variables from a file $ _REQUEST. It looks absolutely shortly:



foreach ($ _REQUEST as $k => $ v)

{

eval (" \ $$ k = ' $ v '; ");

}


Insert this cycle right at the beginning of your script; he will touch a file of global variables and will declare them not worse register_globals. And can even be better, since it is a lot of global files, and to pull out variables not necessarily from all. As a rule, from a file $ _REQUEST - it is quite enough data.


However, it is not necessary to forget and about safety of your code. Pay attention to specificity of job of function eval () - she will process all code transferred{handed} to her as parameter. Be cautious, arrange bezopastnosti that the malefactor has not palmed off as the name or contents of a variable a piece of the php-code or simply incorrect data, capable to call a mistake (for example, the name of the variable beginning{starting} with figure or other non-authorized symbol).

09.02.2003


P.S. After publication of this note, at a forum ideas that a variant with eval () - not the best not once expressed. Personally I prefer to leave for myself " a way to deviation ", and eval () is just attractive that, that allows to supervise completely process, adding necessary checks and restrictions in procedure or on the contrary - expanding opportunities of a code. For example, it is possible to add logirovanie registration of separate variables to know - who where, whence, what for, or precisely to forbid to registration the certain names of variables or other data.


However, each method has pluss and the minuses - think, decide - as it sing in a known song.


Method " variables of variables ".



foreach ($ _REQUEST as $k => $ v)

{

$$ k = $ v;

}


As you can see, too the simple method, based that value of a variable $k is used as a name of a new variable. Conveniently. Differs automatic registration not only variables, but also files. In a case with a method eval () it is necessary to check each variable on is_array () and to develop{unwrap} (to register) her  in addition if such file is necessary for you.


And the most simple method - extract ().


All code of our example will look so:



extract ($ _REQUEST);


It is the most "stupid"{"blunt"} method "developing{unwrapping}" in variables everything that contains in a file $ _REQUEST. There is no absolutely any flexibility in this approach - to affect registration of variables or enter any control you cannot, but looks very laconically.


And, at last, do not forget that register_globals it is possible to activate not only in configuration file Apache, but also in a file .htaccess your site.


Success to you, also do not write holey scripts!