I got a piece of code:
$_SESSION['cms_lang'] = 2;
global $cms_lang;
$cms_lang[1] = 'en';
Error:
Cannot use a scalar value as an array
Problem is that, I really don't know why server sees my global variable as the same as $_SESSION variable. I used this piece of code a couple of times and never had problem with that. I guess it must depends of settings on server. Can anyone know how to force server to not take global and session variables with the same name as the same?
You may read up on the PHP configuration setting register_globals which enables this behavior.
Also, read about why you should disable it (and generally, upgrade your PHP version!)
Related
Can someone give some examples of what register_globals are?
And is global $user_id; considered a register global?
The register_globals directive:
register_globals is an internal PHP setting which registers the $_REQUEST array's elements as variables. If you submit a value in a form, via POST or GET, the value of that input will automatically be accessible via variable in the PHP script, named after the name of the input field.
In other words, if you submitted a form containing a username text field, the expression ($username === $_POST['username']) at the very beginning of the script would return true.
Its notoriety is attributed to the fact that it opens lots of security holes, especially for people that follow anything less than a strict coding style from a security perspective.
Classic example:
if(user_is_admin($user))
{
$authorized = true;
}
if($authorized)
{
// let them do anything they want
}
Now, if you visited that script in a web browser and the server had register_globals on, you could simply append ?authorized=1 to the URL and god-mode would be enabled!
The global keyword:
global is a keyword has little to do with register_globals.
Here is an example of its use:
$foo = 'bar';
baz();
function baz()
{
echo $foo; // PHP warns you about trying to use an uninitialized variable
// and nothing is output (because $foo doesn't exist here)
}
buzz();
function buzz()
{
global $foo; // Enables the use of $foo in this scope
echo $foo; // Prints 'bar' to screen
}
Everyone mentioning GET, POST, REQUEST, COOKIE has effect on register_globals=on.
I'm just writing this to let you know that -
$_SESSION will be affected aswell because of register_globals=on.
http://php.net/manual/en/security.globals.php
That means - if you do as following -
$_SESSION[x] = 123;
$x = 'asd';
echo $_SESSION[x];
The output will be asd.
And this will cause serious security issues and bugs. I have experienced such a bad thing recently during using Hostgator shared hosting. By Default they have register_globals=on.
When you have register_globals=on, anything passed via GET or POST or COOKIE automatically appears to be global variable in code, this might have security consequences.
I.e. you click on url test.php?access_level=100 and you'll have $access_level = 100 in PHP.
When you do global $somevar - you are making your own global variable, which usually is not a big issue.
The register_globals setting controls how you access form, server, and environment. variables.
register_globals=On :
You can access form attribute without Global Arrays ( GET[], POST[] & REQUEST[] )
example: http://www.example.com/one.php?myinput=abc
You can access directly in one.php
echo $myinput; // abc
register_globals=Off :
You have to access all attributes only by Global Arrays.
example: http://www.example.com/one.php?myinput=abc
You have to access in one.php
echo $_GET['myinput']; //abc
As I understand it, if you have register globals turned ON, then anything passed in a GET or POST gets automatically translated into a variable in PHP.
for example:
http://www.domain.com/vars.php?myvar=123
without any further coding this would automatically get turned into a variable available to the rest of your php code
$myvar //with a value of 123
With registered globals OFF, data passed in via GET or POST is NOT automatically translated into a variable, rather, you need to request it using the Superglobals $_GET, $_POST, and $_REQUEST, etc.
http://php.net/manual/en/security.globals.php provides some further information as to the security implications of this.
Others can feel free to correct me if I'm wrong.
edit:
in relation to your question re global $user_id;, this does not create a 'global' in the sense of 'register_globals'. It simply alters the scope of a variable within the PHP code.
For information re scope, see: http://php.net/manual/en/language.variables.scope.php
Global variables in php are variables that are always accessible. They are also known as superglobals. They are built in variables that are always available regardless of the scope.
There are nine superglobal variables in PHP. Some of these are relevant to this discussion.
$_REQUEST
$_POST
$_GET
$_COOKIE
Now, let's focus on the $_REQUEST superglobal. It is used to collect data after submitting an HTML form by user using the POST method.
$_POST and $_REQUEST could be used loosely interchangeably. But $_REQUEST also contains $_GET and $_COOKIE along with $_POST so you are never sure if your data came from a web form.
Now, as pointed out by #Tim register_globals is an internal PHP setting which registers the $_REQUEST array's elements as variables. It is also known as a flag in your php setting. It is typically set in the PHP configuration file known as php.ini file. This setting can have two values.
“on”
“off”.
An “on” value means that PHP will automatically create global variables for many server variables as well as query string parameters. This is not good and is a security risk.
Register Globals :
register_globals
The feature causes data passed to a PHP script via cookies or GET and POST requests to be made available as global variables in the script.
Default Value : "0"
Changeable : PHP_INI_PERDIR
register_globals is affected by the variables_order directive.
NOTE:
This feature has been DEPRECATED as of PHP 5.3.0 and REMOVED as of PHP 5.4.0.
register_globals is one of the parameters of php.ini file.The file was coming from "On" mode before PHP 5.3.8 version.If you change register_globals from Off to On, there would be some criticals about vulnerability of website.Register_globals's feature is that you can use variables without $_GET and $_POST variables.So, Any data which comes from form or URL line you can use the variable not need like $_GET or $_POST variables.Example we have this form :
<?php
if(isset($_POST["myinput"])){
echo $_POST["username"];
}?>
<form action="" method="post">
<input type="text" name="username">
<input type="hidden" name="myinput">
<input type="submit" value="Submit">
</form>
When you submitted the form you can see your username but when you change the situation of register_globals to "On" you have not written $_POST["username"]; you can access directly to the username variable by writing this code echo $username
I would like to prevent php scripts from being able to modify the contents of the $_SERVER global.
Specifically I don't want to allow
unset $_SERVER['foo'];
but it would be nice to forbid any modification, e.g. a module or php.ini declaration.
Is there one?
If you're in control of the root level script you could just copy it:
$_my_server = $_SERVER;
I think it would be helpful to know your reason for this; the $_SERVER variable shouldn't be modified by included scripts, because there's rarely a reason for someone to need to modify it. It's generated at run-time so any changes aren't persisted to subsequent runs of the script.
Also your extra point about php.ini declarations is a bit more confusing - the point of many componentes of $_SERVER is to inform scripts about those declarations, so having it send fake data would seem a very odd use case and maybe not possible.
Not as far as i'm aware.
If you are relying on the contents of $_SERVER throughout you code, and dont want other code (plugin?) to modify it, your best option is to make a copy during the bootstrap stage of your application, then use that copy throughout your code:
$serverDetails = $_SERVER;
$foo = $serverDetails['foo'];
<?php
echo "test";
echo $city;
?>
This keeps echoing out the city from the url even though there is no other code
on the page.
I am assuming this is a global variable...
<?php
unset($GLOBALS[_SERVER]);
echo $city;
?>
I have started and destroyed a session to make sure is is not in a session.
If I change the variable it will not echo out.
If I change the url ?city=Boston to ?city=Chicago then it updates.
$city = $_GET["city"]; does not exist on the page...the rest of the page is empty.
The behavior that you're describing sounds like the PHP register_globals configuration option is enabled. This option causes all GET and POST variables (as well as optionally cookies) to be created as global variables during script startup. This is a huge security issue, and as such has defaulted to being off since PHP 4.2.0 (released April 2002), and cannot be enabled at all in PHP 5.4 and later (released March 2012). The fact that it's on for your system is troubling, as it indicates that you are running PHP 5.3 or earlier, which is no longer receiving security patches!
To disable it, upgrade PHP to a supported version.
If this is not possible, edit your PHP configuration file, find the line where register_globals = On (or = 1) is being set, and remove it. This option has not been recommended for well over a decade; it should not be enabled.
(There is no safe way to disable register_globals at runtime. Disabling it using ini_set() doesn't work, as it takes effect before the script starts, and there is no way to safely remove all of the variables it creates, as it's sometimes possible for these variables to overwrite system globals. The only safe approach is to turn it off entirely.)
Most likely reason for $city already having a value is register_globals setting being ON. What it means that every GET, POST and some other variables are registered as global variables in your script. For example, if you open your script like script.php?city=New+York, you will have a variable $city defined in your code with value "New York".
If you don't want that behavior, you need to disable register_globals in your php.ini.
Read more about register_globals here http://php.net/manual/en/security.globals.php
session_start();
$_SESSION["somevariable"] = "blablabla";
print $_SESSION["somevariable"]."<br>";
$somevariable = "some bug";
print $_SESSION["somevariable"]."<br>";
output:
blablabla
some bug
I creata some session variable ($_session["data"]) and then i create some tipical variable ($data) then $_session variable are overwrite.
Our server php version is 5.2.5,Zend Engine v2.2.0
Sorry for my english, thanks for help
You have register globals turned on. This causes the declaration of $somevariable to overwrite the $_SESSION['somevariable'] since they point to the same place.
You should turn this off as it is deprecated and can cause issues like you are experiencing.
About superglobals. Exactly this line:
If the deprecated register_globals directive is set to on then the variables
within will also be made available in the global scope of the script.
For example, $_POST['foo'] would also exist as $foo.
check on here codeviper
You can change or update session value anytime like normal variable value change but in this case you can not because its prevent you result is override. the reason behind Global php variable securrity ON`.
e.g. $_SESSION['item'] is the same as $item
You can set on modify php.ini file:
session.bug_compat_42 = On
modify to:
session.bug_compat_42 = Off
Hope this help you!
you are over writing the data to the variable,session will remain untill constant in a page untill it is over writted forcefully by something.
Can someone give some examples of what register_globals are?
And is global $user_id; considered a register global?
The register_globals directive:
register_globals is an internal PHP setting which registers the $_REQUEST array's elements as variables. If you submit a value in a form, via POST or GET, the value of that input will automatically be accessible via variable in the PHP script, named after the name of the input field.
In other words, if you submitted a form containing a username text field, the expression ($username === $_POST['username']) at the very beginning of the script would return true.
Its notoriety is attributed to the fact that it opens lots of security holes, especially for people that follow anything less than a strict coding style from a security perspective.
Classic example:
if(user_is_admin($user))
{
$authorized = true;
}
if($authorized)
{
// let them do anything they want
}
Now, if you visited that script in a web browser and the server had register_globals on, you could simply append ?authorized=1 to the URL and god-mode would be enabled!
The global keyword:
global is a keyword has little to do with register_globals.
Here is an example of its use:
$foo = 'bar';
baz();
function baz()
{
echo $foo; // PHP warns you about trying to use an uninitialized variable
// and nothing is output (because $foo doesn't exist here)
}
buzz();
function buzz()
{
global $foo; // Enables the use of $foo in this scope
echo $foo; // Prints 'bar' to screen
}
Everyone mentioning GET, POST, REQUEST, COOKIE has effect on register_globals=on.
I'm just writing this to let you know that -
$_SESSION will be affected aswell because of register_globals=on.
http://php.net/manual/en/security.globals.php
That means - if you do as following -
$_SESSION[x] = 123;
$x = 'asd';
echo $_SESSION[x];
The output will be asd.
And this will cause serious security issues and bugs. I have experienced such a bad thing recently during using Hostgator shared hosting. By Default they have register_globals=on.
When you have register_globals=on, anything passed via GET or POST or COOKIE automatically appears to be global variable in code, this might have security consequences.
I.e. you click on url test.php?access_level=100 and you'll have $access_level = 100 in PHP.
When you do global $somevar - you are making your own global variable, which usually is not a big issue.
The register_globals setting controls how you access form, server, and environment. variables.
register_globals=On :
You can access form attribute without Global Arrays ( GET[], POST[] & REQUEST[] )
example: http://www.example.com/one.php?myinput=abc
You can access directly in one.php
echo $myinput; // abc
register_globals=Off :
You have to access all attributes only by Global Arrays.
example: http://www.example.com/one.php?myinput=abc
You have to access in one.php
echo $_GET['myinput']; //abc
As I understand it, if you have register globals turned ON, then anything passed in a GET or POST gets automatically translated into a variable in PHP.
for example:
http://www.domain.com/vars.php?myvar=123
without any further coding this would automatically get turned into a variable available to the rest of your php code
$myvar //with a value of 123
With registered globals OFF, data passed in via GET or POST is NOT automatically translated into a variable, rather, you need to request it using the Superglobals $_GET, $_POST, and $_REQUEST, etc.
http://php.net/manual/en/security.globals.php provides some further information as to the security implications of this.
Others can feel free to correct me if I'm wrong.
edit:
in relation to your question re global $user_id;, this does not create a 'global' in the sense of 'register_globals'. It simply alters the scope of a variable within the PHP code.
For information re scope, see: http://php.net/manual/en/language.variables.scope.php
Global variables in php are variables that are always accessible. They are also known as superglobals. They are built in variables that are always available regardless of the scope.
There are nine superglobal variables in PHP. Some of these are relevant to this discussion.
$_REQUEST
$_POST
$_GET
$_COOKIE
Now, let's focus on the $_REQUEST superglobal. It is used to collect data after submitting an HTML form by user using the POST method.
$_POST and $_REQUEST could be used loosely interchangeably. But $_REQUEST also contains $_GET and $_COOKIE along with $_POST so you are never sure if your data came from a web form.
Now, as pointed out by #Tim register_globals is an internal PHP setting which registers the $_REQUEST array's elements as variables. It is also known as a flag in your php setting. It is typically set in the PHP configuration file known as php.ini file. This setting can have two values.
“on”
“off”.
An “on” value means that PHP will automatically create global variables for many server variables as well as query string parameters. This is not good and is a security risk.
Register Globals :
register_globals
The feature causes data passed to a PHP script via cookies or GET and POST requests to be made available as global variables in the script.
Default Value : "0"
Changeable : PHP_INI_PERDIR
register_globals is affected by the variables_order directive.
NOTE:
This feature has been DEPRECATED as of PHP 5.3.0 and REMOVED as of PHP 5.4.0.
register_globals is one of the parameters of php.ini file.The file was coming from "On" mode before PHP 5.3.8 version.If you change register_globals from Off to On, there would be some criticals about vulnerability of website.Register_globals's feature is that you can use variables without $_GET and $_POST variables.So, Any data which comes from form or URL line you can use the variable not need like $_GET or $_POST variables.Example we have this form :
<?php
if(isset($_POST["myinput"])){
echo $_POST["username"];
}?>
<form action="" method="post">
<input type="text" name="username">
<input type="hidden" name="myinput">
<input type="submit" value="Submit">
</form>
When you submitted the form you can see your username but when you change the situation of register_globals to "On" you have not written $_POST["username"]; you can access directly to the username variable by writing this code echo $username