PHP variables are not passed! The problem register_globals

PHP FAQ.

Do not pass a variable! The problem register_globals


It's okay. The data in the script are transmitted. Simple PHP has no effect of these variables at each setting. Find your data can be in special arrays.

In all the old manuals on PHP written that The figures obtained from the forms, or is passed by reference, like this: script.php?peremennaya=znachenie&variable=value
automatically makes variables the PHP, $peremennaya as $variable
This information is outdated.
Occupation that for security reasons, starting with version 4.1, PHP is configured by default so that the transmitted values ​​not assigned to a variable.
Get the passed value can be addressed to an appropriate array.
For example:
If you pass by GET, referring to the script on the link type
script.php?var=value
or by sending the form to indicate in its method = "GET",
then all the variables contained in an array $_GET .
echo $_GET [ 'var' ] ; print " value ".
If you acquire the data from the forms sent by a POST, all fields in this form are contained in the array $_POST . Suppose there was an element in the form of
.
something in the script, which is specified in the form of action, we can write the echo $_POST [ 'var' ]; $_POST [ 'var' ]; It will also be displayed 1.

Therefore, if you are sure that the variable is there, but you just can not find it - look for it in the superglobals.
More details about them can be honored in Russian in official documentation.
The same touches and server variables, such as $REMOTE_ADDR , $PHP_SELF . You can get them by contacting the array $_SERVER , $_ENV or function getenv -
getenv ( 'HTTP_REFERER' ) getenv -
getenv ( 'HTTP_REFERER' ) ;

Variables registered in the session, to be found in the array $_SESSION .
These cookie contained in the array $ _COOKIE, information about uploaded files - in $ _FILES
Environment variables - in the $ _ENV, but also, there is an array of $ _REQUEST, which collected data from GET, POST and cookie.

Important! Quite looking for variables assists one of the first PHP functions - phpinfo () phpinfo ()
it should be used every time, what time you "lost" variable, call phpinfo ( 32 ); phpinfo ( 32 ); in the script, which does not work authorization in the script which takes the file with file uploads - as all there!

For the purpose of variables gives the answer option register_globals in php.ini.
If register_globals = on, then all data will be received by the script assigned to the relevant variables.
PHP developers strongly recommend to turn off register_globals (such a regime even entered by default in all new versions) use the data obtained from the user, only referring to the corre- arrays.
This is because when register_globals = on easy to hack something like writing a script.
The sample, the authorization function exposes the variable $admin = 1 , but if authorization had nothing to do, it does not effect anything. This script when register_globals = on is very easy to become the administrator by simply referring to it script.php?admin=1
Ogoromnoe number of sites have been hacked in this way.

In addition, register_globals = off makes use superglobalnmi arrays ( $_GET , $_POST and so on), which provides assistance to avoid confusion. Very many people, writing a certain variable in the session, but then trying to change its value, transferring it to the script by GET, continuously could not understand why they had nothing does not work? therefore
very important at work with sessions, at all settings (and especially - when register_globals ! = on) to work only with the array $_SESSION , as described in the relevant section .

That is, register_globals = off - at the lesson not a target, but a means. Incentives to secure the programmer wrote scripts and evade confusion.
If you want to write a script that does not depend on the setting of register_globals , and thus protected - you need to declare variables before using. To this aim, another initiative PHP development - writing programs at the level of the error mapping (error_reporting) equal to E_ALL, for which the use of undeclared variables issued warnings.
It was the announcement of all the variables used in the script as yavlyaets safeguard against tampering. If you write a program to spread, the guarantee of its safety is only a declaration of variables.

If it is not possible to redo finished the script, but it needs to get to work with register_globals = off, we must not forget that in the first place, you do a potential hole on your site, but secondly, for this you can use the extract also import_request_variables

BUT!
Thoughtless use of these functions is just as risky!

If you want to adapt the ancient script under the new provisions, then follow the above code in that routine!
import_request_variables ( "GPC" );
extract ( $_SERVER ); first appointed variables come from the user, but then - predefined server that the first could not overwrite the same name server.
IMPORTANT!!!
This code has to be called as early as possible in the script. Before any code and assigning variables.
Since it is a hole pohlesche register_globals = on!
After all, if he will be called later assign variables in the script, then the hacker can easily overwrite them.
The latest versions of PHP tell you about this notaysom using import_request_variables.
, It is true - three years have passed since then, as the new rules introduced. It is time to also learn to scribble scripts correctly.

But it is better to use not dumped in walk variable, but the respective arrays. Especially if one of the variables of the script found Cook, from the form of the session - quite a lot of the confusion stems from this.

If you're new to this site, it is strongly recommended to see all topics. It does not take a lot of pores, but the questions, then lit, you can not meet one day when programming in PHP
by phpfaq.ru