PhpDig.net

Go Back   PhpDig.net > PhpDig Forums > How-to Forum

Reply
 
Thread Tools
Old 12-14-2003, 09:26 AM   #1
chris2000
Green Mole
 
Join Date: Dec 2003
Location: Germany, BaWue
Posts: 6
phpdigHttpVars - register_globals

What is phpdigHttpVars exactly doing?

Am I right, that it is circumventing the deactivation of register_globals?

This is index.php:
PHP Code:
echo "in the beginning: ".$test."<br>"//no output via GET possible

$relative_script_path '.';

include 
"$relative_script_path/includes/config.php";
include 
"$relative_script_path/admin/debug_functions.php";
include 
"$relative_script_path/libs/search_function.php";

// extract vars
extract(phpdigHttpVars(
     array(
'query_string'=>'string',
           
'template_demo'=>'string',
           
'refine'=>'integer',
           
'refine_url'=>'string',
           
'site'=>'integer',
           
'limite'=>'integer',
           
'option'=>'string',
           
'search'=>'string',
           
'lim_start'=>'integer',
           
'browse'=>'integer',
           
'path'=>'string'
           
)
     ));
     
     
     echo 
"<br> after phpdigHttpVars - $test: ".$test."<br>"//output via GET possible!
     
phpdigSearch($id_connect$query_string$option$refine,
              
$refine_url$lim_start$limite$browse,
              
$site$path$relative_script_path$template); 
I'm using 1.6.x. Why is the Array for phpdighttpvars necessary? It even seems to make $test global, although it isn't in the Array... I'm a bit confused...
__________________
Linux - where do you want to go tomorrow?

Last edited by chris2000; 12-14-2003 at 09:31 AM.
chris2000 is offline   Reply With Quote
Old 12-14-2003, 04:05 PM   #2
Charter
Head Mole
 
Charter's Avatar
 
Join Date: May 2003
Posts: 2,539
PHP Code:
// extract _POST or _GET variables from a list varname => vartype
// Useful for error_reporting E_ALL too, init variables
// usage in script : extract(phpdigHttpVars(array('foobar'=>'string')));
function phpdigHttpVars($varray=array()) {
// request type is one of the following
$parse_orders = array('_POST','_GET','HTTP_POST_VARS','HTTP_GET_VARS');
// initialize variable
$httpvars = array();
// extract the right array
if (is_array($varray)) {
    foreach(
$parse_orders as $globname) { // iterate over $parse_orders array
    // depending on location $$globname is $_POST, $_GET, $_HTTP_POST_VARS, or $_HTTP_GET_VARS
          
global $$globname// do global to ensure access to all $parse_orders array elements
          // if count($httpvars)=0, isset($_*), and is_array($_*) then set $httpvars = $_* array
          
if (!count($httpvars) && isset($$globname) && is_array($$globname)) {
              
// $httpvars is only one of $_POST, $_GET, $_HTTP_POST_VARS, or $_HTTP_GET_VARS
              
$httpvars = $$globname// httpvars = $_*;
          
}
    }
    
// extract or create requested vars
    
foreach($varray as $varname => $vartype) { // iterate over $varray array
       
if (in_array($vartype,array('integer','bool','double','float','string','array')) ) {
         if (!isset(
$httpvars[$varname])) {
            if (!isset(
$GLOBALS[$varname])) {
            
// if there is no $_*['varname'] and no $GLOBALS['varname'] set to false value
                 
$httpvars[$varname] = false;
            }
            else {
            
// if there is no $_*['varname'] but there is $GLOBALS['varname'] set to global value
                 
$httpvars[$varname] = $GLOBALS[$varname];
            }
         }
         
settype($httpvars[$varname],$vartype); // set type
       
}
    }
return 
$httpvars// return associative $_* array
// e.g., $httpvars = array('one' => $_POST['one'], 'two' => $_POST['two'], 'three' => $GLOBALS['three']);
}
}
// The extract(phpdigHttpVars(...)); treats keys as variable names and values as
// variable values, so it is the extract(phpdigHttpVars(...)); that it is circumventing
// the deactivation of register_globals. 
__________________
Responses are offered on a voluntary if/as time is available basis, no guarantees. Double posting or bumping threads will not get your question answered any faster. No support via PM or email, responses not guaranteed. Thank you for your comprehension.
Charter is offline   Reply With Quote
Old 12-15-2003, 02:47 AM   #3
chris2000
Green Mole
 
Join Date: Dec 2003
Location: Germany, BaWue
Posts: 6
Quote:
Originally posted by Charter
PHP Code:
// The extract(phpdigHttpVars(...)); treats keys as variable names and values as
// variable values, so it is the extract(phpdigHttpVars(...)); that it is circumventing
// the deactivation of register_globals. 
Ok, thanks for your detailed explanations! I didn't know the extract-function.

I'll go on reading the code, and if I've further questions, I'll ask here again .
__________________
Linux - where do you want to go tomorrow?
chris2000 is offline   Reply With Quote
Old 12-15-2003, 08:55 AM   #4
chris2000
Green Mole
 
Join Date: Dec 2003
Location: Germany, BaWue
Posts: 6
Quote:
Originally posted by Charter
PHP Code:
// The extract(phpdigHttpVars(...)); treats keys as variable names and values as
// variable values, so it is the extract(phpdigHttpVars(...)); that it is circumventing
// the deactivation of register_globals. 
Hmm, what I still don't understand is why I could change my variable $test via GET, although register_globals is deactivated and $test isn't part of the Array (see my code above).
__________________
Linux - where do you want to go tomorrow?
chris2000 is offline   Reply With Quote
Old 12-16-2003, 08:25 AM   #5
Charter
Head Mole
 
Charter's Avatar
 
Join Date: May 2003
Posts: 2,539
Hi. When I test your code using ...search.php?test=test I receive the following output.

in the beginning: test

after phpdigHttpVars - test: test
__________________
Responses are offered on a voluntary if/as time is available basis, no guarantees. Double posting or bumping threads will not get your question answered any faster. No support via PM or email, responses not guaranteed. Thank you for your comprehension.
Charter is offline   Reply With Quote
Old 12-16-2003, 11:28 AM   #6
chris2000
Green Mole
 
Join Date: Dec 2003
Location: Germany, BaWue
Posts: 6
Hi charter,

okay, then you have register_globals enabled. I have disabled it on my computer.

I've also accessed index.php?test=test. Then the output-line in the beginning of the script is empty (that's okay, because register_globals is disabled).

BUT the second line is "after phpdigHttpVars - test: test". Why that? Although $test isn't part of the array it's made global. That's what I didn't understand. Sorry, my comments in the code in my first posting were imprecise.

I want to read the rest of the code of the search itself (the admin and spidering is not so interesting), but the search should also work with disabled register_globals. I think that's better for security-reasons. (Okay, maybe I'm a bit paranoid ).

Bye,
Chris
__________________
Linux - where do you want to go tomorrow?
chris2000 is offline   Reply With Quote
Old 12-16-2003, 11:47 AM   #7
Charter
Head Mole
 
Charter's Avatar
 
Join Date: May 2003
Posts: 2,539
Hi. It's because of the following code found in the phpdigHttpVars function.
PHP Code:
         if (!isset($httpvars[$varname])) { 
            if (!isset(
$GLOBALS[$varname])) { 
            
// if there is no $_*['varname'] and no $GLOBALS['varname'] set to false value 
                 
$httpvars[$varname] = false
            } 
            else { 
            
// if there is no $_*['varname'] but there is $GLOBALS['varname'] set to global value 
                 
$httpvars[$varname] = $GLOBALS[$varname]; 
            } 
         } 
When you pass search.php?test=test to the script, $GLOBALS['test'] is set.
__________________
Responses are offered on a voluntary if/as time is available basis, no guarantees. Double posting or bumping threads will not get your question answered any faster. No support via PM or email, responses not guaranteed. Thank you for your comprehension.
Charter is offline   Reply With Quote
Old 12-16-2003, 12:37 PM   #8
chris2000
Green Mole
 
Join Date: Dec 2003
Location: Germany, BaWue
Posts: 6
Thank's a lot. I understood.
chris2000 is offline   Reply With Quote
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Forum Jump


All times are GMT -8. The time now is 04:40 AM.


Powered by vBulletin® Version 3.7.3
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Copyright © 2001 - 2005, ThinkDing LLC. All Rights Reserved.