Coding PHP with register

Intended Audience
Introduction
register_globals
How do the variables get to PHP?

From the URL

From a Form

From a Cookie

From the Environment or the Server
Use the superglobals!

Why are they called superglobals?
Other Coding Techniques

Ways to Hack
Summary
About The Author

Intended Audience
Prior to PHP 4.2.0, the default value for the PHP configuration parameter register_globals was On. Many PHP programmers took advantage of the ease of use this configuration provided.

This article is intended for PHP programmers who have, in the past, relied on the register_globals On, and now wish to change their coding style to reflect the new default for this parameter. It will also be of interest to programmers using an ISP hosted PHP environment where they do not control the values of the PHP configuration file.

Introduction
I consider one of the strengths of PHP the easy learning curve. PHP allows for embedding small portions of PHP into an HTML file, allowing HTML authors to ease into the language. PHP has a very C-like syntax, allowing for easy transition of programmers familiar with C. Weak variable typing, the flexibility and power of PHP many extensions, and abundant examples and articles on the Internet also contribute to the easy learning curve for PHP.

One recent change in PHP may increase the learning curve some. With the release of PHP 4.2.0, the default value for register_globals is now Off. This takes away one of the features that made PHP so easy to learn (a problem which it is the goal of this article to rectify).

Why was this done? In a word: security. You code is inherently more stable when you initialize and know where each variable in your source is coming from. Caution must always be taken when receiving input from a user, and allowing the user to arbitrarily make variables in your code is not good coding practice. This is perhaps better explained by the PHP developers themselves in http://www.php.net/release_4_1_0.php (see the section titled SECURITY: NEW INPUT MECHANISM) and http://www.php.net/manual/en/security.registerglobals.php.
register_globals
The register_globals configuration parameter is controlled in your php.ini file. See http://www.php.net/manual/en/configuration.php for more information on the configuration file. The register_globals parameter http://www.php.net/manual/en/configuration.php#ini.register-globals can take two values, On or Off. Prior to PHP version 4.2, On was the default, but this has now changed, and modifying your coding to accommodate this change is the subject of this article.

How do the variables get to PHP?
Experienced PHP programmers who have used URL query parameters, forms and cookies will find this section redundant, and may wish to go directly to the section on superglobals.

Variables come from many sources. Once source is initializing them yourself, $var = ’value’;. Described in the following sections are several other ways to get variables into your script, including as part of the URL, a form, a cookie, or part of the environment the server runs in. These examples are described from the perspective of a server using register_globals On, and you will learn later in the article how and where to get these values with register_globals Off.

From the URL
One of the most common ways to get information is by passing query parameters. The following is the anatomy of a URL (for more information on parsing a URL in PHP see http://www.php.net/manual/en/function.parse-url.php ):

Scheme controls the protocol used by the client and server for the request. Http and https are the most common protocols used, but you might specify another like ftp.
User and password information for basic HTTP authentication can be passed as part of the URL.
Host is the IP address or DNS name for the server reference by this URL.
Port is the TCP/IP port to use on the server, 80 is standard for HTTP, and 443 is standard for HTTPS.
Path is the location and name of the script on the server.
Query is parameters passed by the URL.
Fragment is the scroll target within the HTML document.
The portion of the URL we are most interested in here is the query parameters portion. With the register_globals On, the script.php would automatically have $var = ’val’; and $foo = ’bar’; set as global variables for the script to access.

Whenever a query parameter is specified in the script’s URL, PHP will create a global array called $HTTP_GET_VARS. This is an associative array of the key => value pairs from the URL query parameters. From the example above, PHP will automatically create $HTTP_GET_VARS = array (’var’ => ’val’, ’foo’ => ’bar’);.

Since PHP 4.1.0, a global variable called $_GET will contain the same array as $HTTP_GET_VARS. This array is a superglobal and will be discussed in greater detail later in this article.

From a Form
Another very common way to get input variable to a script is from a form on a web page. Included below is an example of how a web page might render, including the HTML source:

When a user clicks the "Send!" button, the browser will submit the form to script.php with a post variable called $foo having the value the user entered into the text box on the web form. With register_globals On, the script.php would have $foo = ’bar’; available as a global variable by default.

Similar to the query parameter example, whenever a browser submits a form to a PHP script, PHP will automatically create $HTTP_POST_VARS as an associative array of key => value pairs for all of the form inputs. The example above would result in the automatic creation of $HTTP_POST_VARS[’foo’] = ’bar’;.

With PHP 4.1.0 and greater, the variable $_POST will contain the same associative array.

From a Cookie
Web pages by nature are stateless, meaning that each time a web page is retrieved it is generated using information passed in the request. This fact presented a challenge for early web development, where designers wanted to maintain state throughout an entire interaction with a user, possibly across many web page requests on the site. The concept of cookies was developed to pass the information required to maintain this state, both for the duration of the user’s current browsing session, and longer term by "dropping" a cookie on the user’s hard drive.

If the following code was placed on a script, before any other output was sent, a cookie will be set:

/* Set Cookie for 1 day */
setcookie(’foo’, ’bar’, time()+86400, ’’, $HTTP_HOST);

Note: Astute observers will notice an obsolete global variable in the $HTTP_HOST used in the example. With register_globals = ’off’, this would need to be $_SERVER[’HTTP_HOST’].

A link on this page, to the same server, will pass $foo = ’bar’; as a cookie variable for the script.

From the Environment or the Server
The operating system environment, and the web server, has many variables that can be used by the script. One of the most common uses of a server variable is to retrieve the name of the script itself or, as in the example above, the name of the host.

PHP creates additional associative arrays as $HTTP_ENV_VARS and $HTTP_SERVER_VARS. After PHP 4.1.0, these same arrays are defined in $_ENV and $_SERVER.

Use the superglobals!
Now that you understand how these variables get to PHP, and that they are not automatically created for you by PHP when the register_globals setting Off, it is time to identify what you can do with your coding style to adjust to the new default.

Your first choice is to use the new superglobal arrays, after all, that is what they were added for! This should be your preferred method, especially if you only intend to use the value once in your script (print ’Your IP Address is:’ . $_SERVER[’REMOTE_ADDR’]; ).

If you intend to use a value more than once, you can assign the value to a variable ($mode = $_GET[’mode’]; ) instead of explicitly referencing the superglobal each time.

Why are they called superglobals?
Normally, any variable used in a function is local in scope to that function. This means if you wanted to use the global $HTTP_GET_VARS array values in a function, you would need to first use the statement global $HTTP_GET_VARS; before referencing this array.

Superglobals are an exception to this rule. You may use the variables $_GET, $_POST, $_COOKIE, $_ENV, $_SERVER and $_SESSION without having to reference them as globals first. There is also one additional superglobal array, $_REQUEST. This array contains all of the variables from GET, POST or COOKIE methods (basically anything that could be sent by the user, and which is therefore suspect).

Note: You cannot use a variable variable to access the superglobal arrays in functions. For example, the following code will not work:

<?php
function foo()
{
$sg = ’_GET’;
return ${$sg}[$var];
}
?>

the foo() function described above will not return values from the $_GET superglobal array.

Other Coding Techniques
I found myself wanting to revert back to the easy way of having my variables registered for me. However, knowing the security risks, I instead wrote some helper functions to ease the transition.

The first function I wrote was register() :
<?php
/**
* return a value from the global arrays
*
* @author Jason E. Sweat
* @since 2002-02-05
* @param string $varname
* the name of the variable to register
*
* @param string $defval optional
* the value to return if not found
*
* @return string the value of the variable if
* registered, else the default
*/
function register($varname, $defval=NULL)
{
if (array_key_exists($varname, $_SERVER)) {
$retval = $_SERVER[$varname];
} elseif (array_key_exists($varname, $_COOKIE)) {
$retval = $_COOKIE[$varname];
} elseif (array_key_exists($varname, $_POST)) {
$retval = $_POST[$varname];
} elseif (array_key_exists($varname, $_GET)) {
$retval = $_GET[$varname];
} elseif (array_key_exists($varname, $_ENV)) {
$retval = $_ENV[$varname];
} else {
$retval = $defval;
}

return $retval;
}
?>

This function now allows you to "register" variables you expect to have passed to the script. I normally use this by doing $mode = register(’mode’);. The function is defined to follow the default variables_order parameter from the php.ini file (http://www.php.net/manual/en/configuration.php#ini.variables-order ), and therefore will return an identical result to PHP with register_globals on (if assigned to a variable with the same name as you are registering). This function also allows you to specify a default value you would like to have the variable initialized with if the value is not found in any of the superglobal arrays.

This function had one drawback, it will always return a value, and therefore always initialize a variable to something. I had some instances in my code where I wanted to use isset() to determine if a value had been passed. In order to accommodate this behavior, I used a different function to register the values.

<?php
/**
* set a global variable if the specified get
* or post var exists
*
* @author Jason E. Sweat
* @since 2002-04-25
* @param string $test_vars
* the array of the vars to
* register, will accept a string
* name for a single var as well
*
* @global the variable, if it is set
*/
function getpost_ifset($test_vars)
{
if (!is_array($test_vars)) {
$test_vars = array($test_vars);
}

foreach($test_vars as $test_var) {
if (isset($_POST[$test_var])) {
global $$test_var;
$$test_var = $_POST[$test_var];
} elseif (isset($_GET[$test_var])) {
global $$test_var;
$$test_var = $_GET[$test_var];
}
}
}
?>

This function will allow you to pass an array of strings for variables to register. If any of the variable were passed in either the GET or POST methods, they will be set as global values, otherwise you will still be able to check the values using isset() to see if they were passed.

This function is also particularly good for writing a form handler script since you can initialize an array of values easily (getpost_ifset(array(’username’, ’password’, ’password2’)); ).

Ways to Hack
I can already hear the excuses: "I don’t have enough time", or "The program is third party code and I do not want to learn and maintain it".

If you must hack your way around the register_globals Off default value, I would suggest reading up on the import_request_variables() function (http://www.php.net/manual/en/function.import-request-variables.php) or reviewing some of the reader posted comments related to the extract() function (http://www.php.net/manual/en/function.extract.php).

Summary
You should now be familiar with the various means of getting variables into a PHP script, and a variety of coding methods available to you to accommodate the change of the register_globals default from On to Off. Best of luck to you, and happy (and secure) coding!

About The Author
Jason has worked as an IT professional since graduating from Colorado State University in 1992. He is currently an application developer, and the web master, for a business unit of a fortune 100 company, and maintains a server at home for educational and home business purposes. He currently resides in Iowa with his wife and two children. Please feel free to post any comments or questions below, or send them to jsweat_php@yahoo.com.

时间: 2024-08-25 05:01:04

Coding PHP with register的相关文章

PHP编码规范-php coding standard

standard|编码|规范 目录 介绍 标准化的重要性 解释 认同观点 项目的四个阶段 命名规则 合适的命名 缩写词不要全部使用大写字母 类命名 类库命名 方法命名 类属性命名 方法中参数命名 变量命名 引用变量和函数返回引用 全局变量 定义命名 / 全局常量 静态变量 函数命名 php文件扩展名 文档规则 评价注释 Comments Should Tell a Story Document Decisions 使用标头说明 Make Gotchas Explicit Interface an

撕下 Coding iPad 悬赏单的小小感触

最开始 @张一白 同学推荐我 Coding iPad 客户端悬赏任务的时候,我是拒绝的.因为首先我之前从来没有了解过 Coding 这个产品,唯独只知道有朋友在这里做兼职,还有那只小猴子:其次我因为学校繁重的毕业设计任务和即将到来的实习,业余时间也非常有限. 虽然我是个学生,但这几年自己创业.接项目.做小团队的设计顾问也有不少经验了(当然自己创业都不幸失败了-),而对外包的工作却是有一些忌讳的.大部分的外包经历并不愉快,要不就是丧心病狂的需求更改.要不就是反反复复的设计迭代.要不就是永无止尽的后

fatal error:php中通过register

今天发现php中,如果要记录fatal error的时候,可以实用一个不错的函数, 叫register_shutdown_function,小结如下:   register_shutdown_function可以让我们设置一个当执行关闭时可以被调用的另一个函数.也就是说当我们的脚本执行完成或意外死掉 导致PHP执行即将关闭时,我们的这个函数将会被调用.所以,我们可以使用在脚本开始处设置一个变量为false,然后在脚本末尾将之设置为true的方 法,让PHP关闭回调函数检查脚本完成与否. 如果我们

如何在DW中使用zen coding

在我发表上一篇<Zen Coding: 一种快速编写HTML/CSS代码的方法>之后,有网友表示不知道怎么在Dreamweaver上使用zen coding插件.OK,今天我就写一篇详细的教程来讲述如何在DW中使用zen coding.如果你已经知道如何使用,可以不再阅读本文. 可喜的是,我在Dreamweaver CS3上进行了测试,证明Dreamweaver CS3和CS4都是支持Zen coding的这个插件的. 准备 安装插件之前,请确认你已经安装了adobe Extention Ma

UltraEdit烈火汉化绿色版配置Zen Coding

Zen Coding中最吸引我的是html展开功能,一个轻量级的编辑器就够了,鉴于此选择了UltraEdit,用的是烈火汉化绿色版(绿色便携版没搞成功,貌似不支持),以下是配置方法: 下载UltraEdit Zen Coding.zip并解压Zen HTML UltraEdit.js至UltraEdit目录下的scripts目录中 按快捷键Ctrl+Shift+Z调出脚本窗口,点击添加按钮选择刚才解压的HTML UltraEdit.js并设置快捷键(我设置的Ctrl+Enter),按确定保存即可

.NET DateTime coding best practices

.NET DateTime coding best practicesAuthor:  Dan Rogers (danro), Microsoft Corporation January 9, 2004 SynopsisWriting programs that store, perform calculations and serialize time values using the .NET DateTime type requires an awareness of the differ

SharePoint中如何在Feature中动态Register/Remove HttpModule

在SharePoint开发时,你会遇到这样一个问题,Global.asax去哪儿?怎样添加一个Global.asax?怎样在Application_Start这个事件处理程序里设置初始化?似乎在Visual Studio中无法像纯ASP.NET开发那样轻松添加一个Global.asax. 当然找到这个Global.asax也不难,打开IIS,右键浏览对应网站,在网站根目录下你可以找到Global.asax.比如我的网站部署在C:\inetpub\wwwroot\wss\VirtualDirect

unity3d脚本:Easy login / register script

#pragma strict var s :String; var username :String; var pw :String; var pw2 :String; var info:String; var success :boolean; var skin:GUISkin; var LogoStyle :GUIStyle; var DescribtionStyle :GUIStyle; var obj :GameObject[]; var login :boolean; function

WCF服务编程设计规范(1):最新版WCF Coding Standard介绍

<WCF4.0新特性体验>之后,新出一个系列<WCF服务编程设计规范>.这个系列主要关注的是如何设计WCF服务,以及WCF编码规范.这里我会翻译整理一些WCF服务设计相关的资料,分享给大家,并提供英文原版的下载. [1]序言: 这个系列应该实用性比较强,对于大多数使用到WCF的技术人员或者公司来说,都是比较重要的内容,我们需要一套完整的规范来指导服务的设计和编码.这可以作为大家学习WCF一个规范参考,另外如果公司制定WCF相关的编码和服务设计规范的时候,可以参考一下.我会在这个系列