Questions about register_globals settings_PHP tutorial-PHP Tutorial-php.cn

Questions about register_globals settings_PHP tutorial

WBOY

Release： 2016-07-13 17:28:11

Original

964 people have browsed it

For various reasons, PHP settings need to rely on the register_globals parameter to be turned on, but it has also become an important security risk. Please see the following piece of code: Remote users can simply pass authenticated as a form variable, even if authenticate_user( ) function returns false, $authenticated will still be set to true. This is a simple example. You may say, my program will not be written like this. In fact, in slightly more complex applications, this mechanism will become a major vulnerability. Therefore, with new versions of PHP, we recommend that users not use this variable to control applications, although we have no plans to remove it in the near future. In order to help users build applications with register_globals set to off, some variables have been added to replace the old ones. Here are 7 new arrays: $_GET - Contains form variables sent via GET $_POST - Contains form variables sent via POST $_COOKIE - Contains HTTP cookie variables $_SERVER - Contains server-side variables (for example: REMOTE_ADDR) $_ENV - Contains environment variables $_REQUEST - A mix of GET variables, POST variables and Cookie variables, variables that come from the user and cannot be trusted. $_SESSION - Contains HTTP variables registered through the session module. These variables, in any scope, are automatically set as global variables and can be called from anywhere without adding the global keyword. For example: function example1() { print $_GET["name"]; // There is no need to write: global $_GET; } Another tip worth mentioning is that adding a record to the $_SESSION array can automatically register it as a session variable , just like you called the session_register() function.