Register globals

From DreamHost
Jump to: navigation, search

When enabled, register_globals automatically injects PHP scripts with various global variables, usually from HTML forms.

A secure alternative to register_globals

In DreamHost's installation of PHP 5, the register_globals directive is disabled (which is actually the default condition); therefore, scripts relying on global variables that are automatically created during the submission of a form will not work as expected. Use the following superglobal array variables to access form (and other) data:

  • $_COOKIE
  • $_GET
  • $_FILES
  • $_POST
  • $_SERVER
  • $_SESSION

Example

Consider the following HTML form:

<form method="post" action="script.php">
  <input type="text" name="var">
  <input type="submit">
</form>

When register_globals is enabled, PHP can access the value of the "var" control like this:

<?php
echo "The value of the "var" control is $var";
?>

With register_globals disabled, the $_POST superglobal array variable must be used instead:

<?php
echo "The value of the "var" control is ".$_POST['var'];
?>

A non-secure alternative to register_globals

In your php scripts you can use the import_request_variables() function to import POST/GET/Cookie variables into the global namespace. Useful to get something to work immediately while register_globals is off and you work to re-code it.

PHP6

In PHP 6, the register_globals directive will not exist at all. Global variables will not be automatically registered.

Reasons for disabling

When enabled, register_globals can make it easy to inject scripts with all sorts of variables, like variables coming from GET or POST methods, and from sessions and cookies. It is possible to exploit the fact that PHP doesn't require initialization of variables, for example.

Exploit example

Consider what would happen if you had a script that looked like this:

<?php
$admin['user'] = 'foo';
$admin['pass'] = 'bar';
if($admin['user'] == $_GET['username'] AND $admin['pass'] == $_GET['password']) {
  /* Give administrator access */
}
?>

On first inspection, the script appears fairly secure; however, a bad array initialization occurs when register_globals is enabled. Suppose you requested the page with page.php?admin=asdf. The following sequence would occur:

  • $admin is set to 'asdf'
  • $admin['user'] = 'foo'; sets the first char of 'asdf' to 'f'
  • $admin['pass'] = 'bar'; sets the first char of 'fsdf' to 'b'
  • $admin['user'] == $_GET['username'] tests if 'b' == $_GET['username']
  • $admin['pass'] == $_GET['password'] tests if 'b' == $_GET['password']


To get administrator access, you request page.php?admin=asdf&username=b&password=b - you only need to know the first character of the password. Even if you don't know it, there are relatively few possibilities.


See Also

External Links