PDA

View Full Version : phpdigHttpVars - register_globals


chris2000
12-14-2003, 10:26 AM
What is phpdigHttpVars exactly doing?

Am I right, that it is circumventing the deactivation of register_globals?

This is index.php:

echo "in the beginning: ".$test."<br>"; //no output via GET possible

$relative_script_path = '.';

include "$relative_script_path/includes/config.php";
include "$relative_script_path/admin/debug_functions.php";
include "$relative_script_path/libs/search_function.php";

// extract vars
extract(phpdigHttpVars(
array('query_string'=>'string',
'template_demo'=>'string',
'refine'=>'integer',
'refine_url'=>'string',
'site'=>'integer',
'limite'=>'integer',
'option'=>'string',
'search'=>'string',
'lim_start'=>'integer',
'browse'=>'integer',
'path'=>'string'
)
));


echo "<br> after phpdigHttpVars - $test: ".$test."<br>"; //output via GET possible!

phpdigSearch($id_connect, $query_string, $option, $refine,
$refine_url, $lim_start, $limite, $browse,
$site, $path, $relative_script_path, $template);

I'm using 1.6.x. Why is the Array for phpdighttpvars necessary? It even seems to make $test global, although it isn't in the Array... I'm a bit confused...

Charter
12-14-2003, 05:05 PM
// extract _POST or _GET variables from a list varname => vartype
// Useful for error_reporting E_ALL too, init variables
// usage in script : extract(phpdigHttpVars(array('foobar'=>'string')));
function phpdigHttpVars($varray=array()) {
// request type is one of the following
$parse_orders = array('_POST','_GET','HTTP_POST_VARS','HTTP_GET_VARS');
// initialize variable
$httpvars = array();
// extract the right array
if (is_array($varray)) {
foreach($parse_orders as $globname) { // iterate over $parse_orders array
// depending on location $$globname is $_POST, $_GET, $_HTTP_POST_VARS, or $_HTTP_GET_VARS
global $$globname; // do global to ensure access to all $parse_orders array elements
// if count($httpvars)=0, isset($_*), and is_array($_*) then set $httpvars = $_* array
if (!count($httpvars) && isset($$globname) && is_array($$globname)) {
// $httpvars is only one of $_POST, $_GET, $_HTTP_POST_VARS, or $_HTTP_GET_VARS
$httpvars = $$globname; // httpvars = $_*;
}
}
// extract or create requested vars
foreach($varray as $varname => $vartype) { // iterate over $varray array
if (in_array($vartype,array('integer','bool','double','float','string','array' )) ) {
if (!isset($httpvars[$varname])) {
if (!isset($GLOBALS[$varname])) {
// if there is no $_*['varname'] and no $GLOBALS['varname'] set to false value
$httpvars[$varname] = false;
}
else {
// if there is no $_*['varname'] but there is $GLOBALS['varname'] set to global value
$httpvars[$varname] = $GLOBALS[$varname];
}
}
settype($httpvars[$varname],$vartype); // set type
}
}
return $httpvars; // return associative $_* array
// e.g., $httpvars = array('one' => $_POST['one'], 'two' => $_POST['two'], 'three' => $GLOBALS['three']);
}
}
// The extract(phpdigHttpVars(...)); treats keys as variable names and values as
// variable values, so it is the extract(phpdigHttpVars(...)); that it is circumventing
// the deactivation of register_globals.

chris2000
12-15-2003, 03:47 AM
Originally posted by Charter

// The extract(phpdigHttpVars(...)); treats keys as variable names and values as
// variable values, so it is the extract(phpdigHttpVars(...)); that it is circumventing
// the deactivation of register_globals.


Ok, thanks :yes: for your detailed explanations! I didn't know the extract-function. :)

I'll go on reading the code, and if I've further questions, I'll ask here again ;) .

chris2000
12-15-2003, 09:55 AM
Originally posted by Charter
// The extract(phpdigHttpVars(...)); treats keys as variable names and values as
// variable values, so it is the extract(phpdigHttpVars(...)); that it is circumventing
// the deactivation of register_globals.


Hmm, what I still don't understand is why I could change my variable $test via GET, although register_globals is deactivated and $test isn't part of the Array (see my code above).

Charter
12-16-2003, 09:25 AM
Hi. When I test your code using ...search.php?test=test I receive the following output.

in the beginning: test

after phpdigHttpVars - test: test

chris2000
12-16-2003, 12:28 PM
Hi charter,

okay, then you have register_globals enabled. I have disabled it on my computer.

I've also accessed index.php?test=test. Then the output-line in the beginning of the script is empty (that's okay, because register_globals is disabled).

BUT the second line is "after phpdigHttpVars - test: test". Why that? Although $test isn't part of the array it's made global. That's what I didn't understand. Sorry, my comments in the code in my first posting were imprecise.

I want to read the rest of the code of the search itself (the admin and spidering is not so interesting), but the search should also work with disabled register_globals. I think that's better for security-reasons. (Okay, maybe I'm a bit paranoid :rolleyes: ).

Bye,
Chris

Charter
12-16-2003, 12:47 PM
Hi. It's because of the following code found in the phpdigHttpVars function.

if (!isset($httpvars[$varname])) {
if (!isset($GLOBALS[$varname])) {
// if there is no $_*['varname'] and no $GLOBALS['varname'] set to false value
$httpvars[$varname] = false;
}
else {
// if there is no $_*['varname'] but there is $GLOBALS['varname'] set to global value
$httpvars[$varname] = $GLOBALS[$varname];
}
}

When you pass search.php?test=test to the script, $GLOBALS['test'] is set.

chris2000
12-16-2003, 01:37 PM
Thank's a lot. I understood.