Globals inside function

I have a small problem.

is it possible put all globals inside a function

function name ($name) {

$variable = $_GET[‘variable’];
$something = $_GET[‘another’];

require_once ROOT . "/content/$name.php"; 

}

instead of me typing all the $_GET is it possible to just pass all the global into the function?

this problem caught me off guard, i thought having the Register Globals On would work regardless if its in function or class.

on my ride home i thought of 1 useful thing about Register Globals Off …

if you have a function / class / or just general script that uses $name and you passed name in your post url then you have a problem but its not necessarily a security flaw its more of bad programming structure. you’ll bump into that same problem with Globals Off or On

yeah the one with Globals on

and the one with Globals Off doesn’t show anything because i didn’t assign
$whatever = $_GET[‘whatever’];

once i assign it… you can add whatever you want in the URL … saying that it just really defeats the purpose.

So the " Not Assigned" column should have nothing listed under it at all?
Well the one with Register Global on does.

I worked on servers with Register Global On and Off

I have a dedicated server with Host Dime and the company i work for has a Dedicated Server totally different company

This is an example of the server with Global Off
http://jmfserver.net/test/check.php?whatever=GlobalOff&name=yourname
http://jmfserver.net/test/index.php to check php.ini file

Same exact script and files the server with Global On
http://www.carlosja.com/test/ - check PHP ini file
http://www.carlosja.com/test/check.php?whatever=GlobalOn&name=yourname

Whatever isn’t going to get anything until i assign it
$whatever = $_GET[‘whatever’];

With register globals ON every single variable that your code uses can be overridden by someone passing in their own value.It basically negates 95% of the possible security techniques that you can use in your code since you can’t assume that any field is safe from tampering.

PHP 4.2 turned that field OFF by default to resolve the security issues and there is no good reason for overriding it so as to disable most of the security in your script.

Anyway, even the laziest person should be able to rewrite all their scripts so as to not need it on within a couple of years (ie. by 22nd April 2004).

No, because then you explicitly set $name to $_GET[‘name’]. When relying on register_globals users can set variables that you never meant them to set!

yeah … i understand your point but if I did

$name = $_GET[‘name’];

and someone added name in the url same security flaw.

Being lazy in this case causes security issues.
For example, what do you think will happen if some adds “name” to the URL?

I’m a lazy programmer lol

I don’t think PHP 6 is coming out soon, and when it does it’ll take 4-5 yrs before its standardized.

Oops, that’s what I meant, you’re right :slight_smile:

You do know register_globals is extremely evil (example) and will be deprecated in PHP6 right?

It isn’t being deprecated in PHP 6. It was deprecated in PHP 4.2 and is being removed completely in PHP 6.

ack never mind… php.net is a beautiful thing god has created for us all.

extract($GLOBALS);

function __a($name) {

extract($GLOBALS);

require_once ROOT . "/content/$name.php";  

}