PhpDig.net

PhpDig.net (http://www.phpdig.net/forum/index.php)
-   How-to Forum (http://www.phpdig.net/forum/forumdisplay.php?f=33)
-   -   phpdigHttpVars - register_globals (http://www.phpdig.net/forum/showthread.php?t=293)

chris2000 12-14-2003 09:26 AM
phpdigHttpVars - register_globals
 
What is phpdigHttpVars exactly doing?

Am I right, that it is circumventing the deactivation of register_globals?

This is index.php:
PHP Code:
echo "in the beginning: ".$test."<br>"//no output via GET possible

$relative_script_path '.';

include "$relative_script_path/includes/config.php";
include "$relative_script_path/admin/debug_functions.php";
include "$relative_script_path/libs/search_function.php";

// extract vars
extract(phpdigHttpVars(
     array('query_string'=>'string',
           'template_demo'=>'string',
           'refine'=>'integer',
           'refine_url'=>'string',
           'site'=>'integer',
           'limite'=>'integer',
           'option'=>'string',
           'search'=>'string',
           'lim_start'=>'integer',
           'browse'=>'integer',
           'path'=>'string'
           )
     ));
     
     
     echo "<br> after phpdigHttpVars - $test: ".$test."<br>"//output via GET possible!
     
phpdigSearch($id_connect$query_string$option$refine,
              $refine_url$lim_start$limite$browse,
              $site$path$relative_script_path$template); 
I'm using 1.6.x. Why is the Array for phpdighttpvars necessary? It even seems to make $test global, although it isn't in the Array... I'm a bit confused...

Charter 12-14-2003 04:05 PM
PHP Code:
// extract _POST or _GET variables from a list varname => vartype
// Useful for error_reporting E_ALL too, init variables
// usage in script : extract(phpdigHttpVars(array('foobar'=>'string')));
function phpdigHttpVars($varray=array()) {
// request type is one of the following
$parse_orders = array('_POST','_GET','HTTP_POST_VARS','HTTP_GET_VARS');
// initialize variable
$httpvars = array();
// extract the right array
if (is_array($varray)) {
    foreach($parse_orders as $globname) { // iterate over $parse_orders array
    // depending on location $$globname is $_POST, $_GET, $_HTTP_POST_VARS, or $_HTTP_GET_VARS
          global $$globname// do global to ensure access to all $parse_orders array elements
          // if count($httpvars)=0, isset($_*), and is_array($_*) then set $httpvars = $_* array
          if (!count($httpvars) && isset($$globname) && is_array($$globname)) {
              // $httpvars is only one of $_POST, $_GET, $_HTTP_POST_VARS, or $_HTTP_GET_VARS
              $httpvars = $$globname// httpvars = $_*;
          }
    }
    // extract or create requested vars
    foreach($varray as $varname => $vartype) { // iterate over $varray array
       if (in_array($vartype,array('integer','bool','double','float','string','array')) ) {
         if (!isset($httpvars[$varname])) {
            if (!isset($GLOBALS[$varname])) {
            // if there is no $_*['varname'] and no $GLOBALS['varname'] set to false value
                 $httpvars[$varname] = false;
            }
            else {
            // if there is no $_*['varname'] but there is $GLOBALS['varname'] set to global value
                 $httpvars[$varname] = $GLOBALS[$varname];
            }
         }
         settype($httpvars[$varname],$vartype); // set type
       }
    }
return $httpvars// return associative $_* array
// e.g., $httpvars = array('one' => $_POST['one'], 'two' => $_POST['two'], 'three' => $GLOBALS['three']);
}
}
// The extract(phpdigHttpVars(...)); treats keys as variable names and values as
// variable values, so it is the extract(phpdigHttpVars(...)); that it is circumventing
// the deactivation of register_globals. 

chris2000 12-15-2003 02:47 AM
Quote:
Originally posted by Charter
PHP Code:
// The extract(phpdigHttpVars(...)); treats keys as variable names and values as
// variable values, so it is the extract(phpdigHttpVars(...)); that it is circumventing
// the deactivation of register_globals. 
Ok, thanks :yes: for your detailed explanations! I didn't know the extract-function. :)

I'll go on reading the code, and if I've further questions, I'll ask here again ;) .

chris2000 12-15-2003 08:55 AM
Quote:
Originally posted by Charter
PHP Code:
// The extract(phpdigHttpVars(...)); treats keys as variable names and values as
// variable values, so it is the extract(phpdigHttpVars(...)); that it is circumventing
// the deactivation of register_globals. 
Hmm, what I still don't understand is why I could change my variable $test via GET, although register_globals is deactivated and $test isn't part of the Array (see my code above).

Charter 12-16-2003 08:25 AM
Hi. When I test your code using ...search.php?test=test I receive the following output.

in the beginning: test

after phpdigHttpVars - test: test

chris2000 12-16-2003 11:28 AM
Hi charter,

okay, then you have register_globals enabled. I have disabled it on my computer.

I've also accessed index.php?test=test. Then the output-line in the beginning of the script is empty (that's okay, because register_globals is disabled).

BUT the second line is "after phpdigHttpVars - test: test". Why that? Although $test isn't part of the array it's made global. That's what I didn't understand. Sorry, my comments in the code in my first posting were imprecise.

I want to read the rest of the code of the search itself (the admin and spidering is not so interesting), but the search should also work with disabled register_globals. I think that's better for security-reasons. (Okay, maybe I'm a bit paranoid :rolleyes: ).

Bye,
Chris

Charter 12-16-2003 11:47 AM
Hi. It's because of the following code found in the phpdigHttpVars function.
PHP Code:
         if (!isset($httpvars[$varname])) { 
            if (!isset($GLOBALS[$varname])) { 
            // if there is no $_*['varname'] and no $GLOBALS['varname'] set to false value 
                 $httpvars[$varname] = false
            } 
            else { 
            // if there is no $_*['varname'] but there is $GLOBALS['varname'] set to global value 
                 $httpvars[$varname] = $GLOBALS[$varname]; 
            } 
         } 
When you pass search.php?test=test to the script, $GLOBALS['test'] is set.

chris2000 12-16-2003 12:37 PM
Thank's a lot. I understood.


All times are GMT -8. The time now is 03:32 PM.

Powered by vBulletin® Version 3.7.3
Copyright ©2000 - 2025, Jelsoft Enterprises Ltd.
Copyright © 2001 - 2005, ThinkDing LLC. All Rights Reserved.