By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
438,747 Members | 2,011 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 438,747 IT Pros & Developers. It's quick & easy.

Getting rid of imported variables

P: n/a
Hello,

My provider has set register_globals = On and I can't change the php.ini
file. Is there a way to unset all the imported get/post etc. variables at
the beginning of my script?

Thomas

Jul 17 '05 #1
Share this Question
Share on Google+
21 Replies


P: n/a

"Thomas Mlynarczyk" <bl*************@hotmail.com> wrote in message
news:cc*************@news.t-online.com...
Hello,

My provider has set register_globals = On and I can't change the php.ini
file. Is there a way to unset all the imported get/post etc. variables at
the beginning of my script?


You have two possible solutions:-

a) Use an .htaccess file to turn register_globals OFF for your website.
b) Use ini_set at the start of the script to turn register_globals off for
that script.

HTH

--
Tony Marston

http://www.tonymarston.net

Jul 17 '05 #2

P: n/a
Also sprach Tony Marston:
a) Use an .htaccess file to turn register_globals OFF for your
website.
Sounds like the perfect solution. Which syntax must I use?
b) Use ini_set at the start of the script to turn
register_globals off for that script.


And it will work? I mean, when ini_set gets executed, isn't it already too
late?

Thanks for your help!
Greetings,
Thomas

Jul 17 '05 #3

P: n/a
Also sprach Thomas Mlynarczyk:

a) Use an .htaccess file to turn register_globals OFF for your
website.


Sounds like the perfect solution. Which syntax must I use?


Erm - does it still work if PHP is running as CGI, not as an Apache module?
Jul 17 '05 #4

P: n/a

"Thomas Mlynarczyk" <bl*************@hotmail.com> wrote in message
news:cc*************@news.t-online.com...
Also sprach Tony Marston:
a) Use an .htaccess file to turn register_globals OFF for your
website.


Sounds like the perfect solution. Which syntax must I use?


php_value register_globals 0
b) Use ini_set at the start of the script to turn
register_globals off for that script.


And it will work? I mean, when ini_set gets executed, isn't it already too
late?


If it didn't work that way then why would it be in the manual? Try it and
see.

--
Tony Marston

http://www.tonymarston.net

Jul 17 '05 #5

P: n/a

"Thomas Mlynarczyk" <bl*************@hotmail.com> wrote in message
news:cc*************@news.t-online.com...
Also sprach Thomas Mlynarczyk:

a) Use an .htaccess file to turn register_globals OFF for your
website.


Sounds like the perfect solution. Which syntax must I use?


Erm - does it still work if PHP is running as CGI, not as an Apache

module?

Who on earth still runs PHP as CGI when the Apache module is so much faster?
The documentation does not identify any difference, so just suck it and see.

--
Tony Marston

http://www.tonymarston.net

Jul 17 '05 #6

P: n/a
Also sprach Tony Marston:
b) Use ini_set at the start of the script to turn
register_globals off for that script.


And it will work? I mean, when ini_set gets executed, isn't it
already too late?


If it didn't work that way then why would it be in the manual? Try it
and see.


So I did. Didn't work. I guess this particular setting cannot be done this
way. :-(
Jul 17 '05 #7

P: n/a

"Tony Marston" <to**@NOSPAM.demon.co.uk> wrote in message
news:cc*******************@news.demon.co.uk...

"Thomas Mlynarczyk" <bl*************@hotmail.com> wrote in message
news:cc*************@news.t-online.com...
Also sprach Tony Marston:
a) Use an .htaccess file to turn register_globals OFF for your
website.


Sounds like the perfect solution. Which syntax must I use?


php_value register_globals 0
b) Use ini_set at the start of the script to turn
register_globals off for that script.


And it will work? I mean, when ini_set gets executed, isn't it already too late?


If it didn't work that way then why would it be in the manual? Try it and
see.


The manual says your can only change register_globals in the system or or
per-dir config.
Jul 17 '05 #8

P: n/a
Also sprach Tony Marston:
Who on earth still runs PHP as CGI when the Apache module is so much
faster?
www.1und1.de. Security issues? Or because a change might have negative side
effects for existing scripts?
The documentation does not identify any difference, so just
suck it and see.


My documentation says "Apache module", so I guess it's not for CGI...

Jul 17 '05 #9

P: n/a

"Thomas Mlynarczyk" <bl*************@hotmail.com> wrote in message
news:cc*************@news.t-online.com...
Also sprach Tony Marston:
Who on earth still runs PHP as CGI when the Apache module is so much
faster?
www.1und1.de. Security issues? Or because a change might have negative

side effects for existing scripts?


What security issues? What makes you think that a PHP script run as CGI
would run differently as an Apache module? Surely a PHP script produces the
same results whichever mode it is run in?
--
Tony Marston

http://www.tonymarston.net
The documentation does not identify any difference, so just
suck it and see.


My documentation says "Apache module", so I guess it's not for CGI...

Jul 17 '05 #10

P: n/a

"Thomas Mlynarczyk" <bl*************@hotmail.com> wrote in message
news:cc*************@news.t-online.com...
Also sprach Tony Marston:
b) Use ini_set at the start of the script to turn
register_globals off for that script.

And it will work? I mean, when ini_set gets executed, isn't it
already too late?


If it didn't work that way then why would it be in the manual? Try it
and see.


So I did. Didn't work. I guess this particular setting cannot be done this
way. :-(


If you cannot use one of the available options then I guess you are stuffed.
As a last resort change to a professional web hosting company, one that does
not restrict your options to such a degree.

--
Tony Marston

http://www.tonymarston.net

Jul 17 '05 #11

P: n/a

"Chung Leong" <ch***********@hotmail.com> wrote in message
news:3o********************@comcast.com...

"Tony Marston" <to**@NOSPAM.demon.co.uk> wrote in message
news:cc*******************@news.demon.co.uk...

"Thomas Mlynarczyk" <bl*************@hotmail.com> wrote in message
news:cc*************@news.t-online.com...
Also sprach Tony Marston:

> a) Use an .htaccess file to turn register_globals OFF for your
> website.

Sounds like the perfect solution. Which syntax must I use?


php_value register_globals 0
> b) Use ini_set at the start of the script to turn
> register_globals off for that script.

And it will work? I mean, when ini_set gets executed, isn't it already too late?


If it didn't work that way then why would it be in the manual? Try it and see.


The manual says your can only change register_globals in the system or or
per-dir config.


Well, one of them should work.

--
Tony Marston

http://www.tonymarston.net

Jul 17 '05 #12

P: n/a
On Mon, 5 Jul 2004 22:16:11 +0100, "Tony Marston" <to**@NOSPAM.demon.co.uk>
wrote:
"Thomas Mlynarczyk" <bl*************@hotmail.com> wrote in message
news:cc*************@news.t-online.com...
Also sprach Tony Marston:
Who on earth still runs PHP as CGI when the Apache module is so much
faster?


www.1und1.de. Security issues? Or because a change might have negative
side effects for existing scripts?


What security issues? What makes you think that a PHP script run as CGI
would run differently as an Apache module? Surely a PHP script produces the
same results whichever mode it is run in?


More flexibility as to what user it runs as under CGI? Also resource usage
will be different for CGI; increased overhead for startup/shutdown, but it
doesn't stay loaded in memory like an Apache module. Conceivably this could be
appropriate for a site that rarely uses PHP.

Running as a module is probably the right choice _most_ of the time.

--
Andy Hassall <an**@andyh.co.uk> / Space: disk usage analysis tool
http://www.andyh.co.uk / http://www.andyhsoftware.co.uk/space
Jul 17 '05 #13

P: n/a
Thomas Mlynarczyk wrote:
Hello,

My provider has set register_globals = On and I can't change the php.ini
file. Is there a way to unset all the imported get/post etc. variables at
the beginning of my script?

Thomas


I found this script on www.php.net that does just what you are looking for. I
don't remember where on php.net I found it but it is pretty handy just incase
register globals is on.

--- Beginning of unregisterglobals.php ---
<?php
// clean out any globals registered by register_globals being on.

// assume it's on by default. there was no option to disable
// register_globals in PHP3.
$register_globals = true;

// ini_get is only in PHP4+
if(function_exists('ini_get'))
{
// We have PHP4, let's find out if register_globals is
// enabled.
$register_globals = ini_get('register_globals');
}

if($register_globals)
{
// Variables to be protected; may
// add automatic detection in the
// future, but probably not worth
// bothering. Just don't set any
// variables (constants are fine)
// above this point.
$protect_vars = array(
'HTTP_ENV_VARS',
'HTTP_GET_VARS',
'HTTP_POST_VARS',
'HTTP_COOKIE_VARS',
'HTTP_POST_FILES',
'HTTP_SERVER_VARS',
'HTTP_SESSION_VARS',
'_ENV',
'_GET',
'_POST',
'_COOKIE',
'_FILES',
'_SERVER',
'_SESSION',
'GLOBALS',
'input_arrays',
'input_array',
'protect_vars'
);

// Arrays to loop through for input.
// Remember, case sensitive.
// By default these are just the arrays
// register_globals pulls from.
$input_arrays = array(
'HTTP_ENV_VARS',
'HTTP_GET_VARS',
'HTTP_POST_VARS',
'HTTP_COOKIE_VARS',
'HTTP_POST_FILES',
'HTTP_SERVER_VARS',
'HTTP_SESSION_VARS'
);
// Just get the values of each item in $input_arrays;
// they are the names of the input arrays.
while(list(,$input_array) = each($input_arrays))
{
// Just get the key names of each item in the input
// array; they are the names of the possible variables.
while(list($key,) = @each(${$input_array}))
{
// Variable names are case sensitive (in PHP 5
// at least)..but we don't want people having
// variables that get unset just because they
// were capitalised wrong in $protect_vars.
for($i = 0; $i < count($protect_vars); $i++)
{
if(strtolower($protect_vars[$i]) == strtolower($key))
{
continue 2;
}
}

unset(${$key});
}
@reset(${input_array});
}
unset($register_globals, $protect_vars, $input_arrays, $input_array, $key,
$i);
}

?>
--- Ending of unregisterglobals.php ---
Jul 17 '05 #14

P: n/a
Also sprach Tony Marston:
If you cannot use one of the available options then I guess you are
stuffed. As a last resort change to a professional web hosting
company, one that does not restrict your options to such a degree.


It *is* a professional web hosting company! If I payed more I could have any
options I want. Anyway, I am changing my script so the imported variables
will no longer disturb me. I was wondering if it was possible to detect if
$variable was set by the script or imported? The problem is, if
$_GET['variable'] is set, how can I detect if it was overwritten by being
set explicitly in the script? (it's an include file and there I cannot know
what code might have been run before the file was included). Or could I
somehow mess with $GLOBALS to unset everything unwanted?
Jul 17 '05 #15

P: n/a
Also sprach Tony Marston:
php_value register_globals 0
The manual says your can only change register_globals in the system
or or per-dir config.
Well, one of them should work.


I must have done something wrong when I innocently put
php_value register_globals 0
at the end of my .htaccess file (containing already some authentication
stuff). What I got was a 500.


Jul 17 '05 #16

P: n/a
Also sprach lurker:
I found this script on www.php.net that does just what you are
looking for. I don't remember where on php.net I found it but it is
pretty handy just incase register globals is on.


Thanks a lot! Looks like just the thing for me :-)

Jul 17 '05 #17

P: n/a

"Thomas Mlynarczyk" <bl*************@hotmail.com> wrote in message
news:cc*************@news.t-online.com...
Also sprach Tony Marston:
If you cannot use one of the available options then I guess you are
stuffed. As a last resort change to a professional web hosting
company, one that does not restrict your options to such a degree.
It *is* a professional web hosting company!


A professional web hosting company does not run an out-of-date version of
PHP.
A professional web hosting company does *NOT* run with register_globals ON.
A professional web hosting company allows you to override settings with an
..htaccess file.
A professional web hosting company will provide any exension that you ask
for.
Anyone else is just a cowboy.
If I payed more I could have any options I want.
Then pay for the options you need.
Anyway, I am changing my script so the imported variables
will no longer disturb me. I was wondering if it was possible to detect if
$variable was set by the script or imported? The problem is, if
$_GET['variable'] is set, how can I detect if it was overwritten by being
set explicitly in the script?
if (isset($_GET['variable'])) will tell you if the variable exists in the
$GET array.

If you set any variable within your script then that is under your control.
(it's an include file and there I cannot know
what code might have been run before the file was included). Or could I
somehow mess with $GLOBALS to unset everything unwanted?


That could possibly work.

--
Tony Marston

http://www.tonymarston.net

Jul 17 '05 #18

P: n/a
Regarding this well-known quote, often attributed to Tony Marston's famous
"Mon, 5 Jul 2004 11:09:36 +0100" speech:
"Thomas Mlynarczyk" <bl*************@hotmail.com> wrote in message
news:cc*************@news.t-online.com...
Hello,

My provider has set register_globals = On and I can't change the php.ini
file. Is there a way to unset all the imported get/post etc. variables at
the beginning of my script?


You have two possible solutions:-

a) Use an .htaccess file to turn register_globals OFF for your website.
b) Use ini_set at the start of the script to turn register_globals off for
that script.

HTH


ini_set won't work for that, IIRC, since the variables are already
registered by the time the script runs.

--
-- Rudy Fleminger
-- sp@mmers.and.evil.ones.will.bow-down-to.us
(put "Hey!" in the Subject line for priority processing!)
-- http://www.pixelsaredead.com
Jul 17 '05 #19

P: n/a
Regarding this well-known quote, often attributed to Thomas Mlynarczyk's
famous "Mon, 5 Jul 2004 11:48:15 +0200" speech:
Hello,

My provider has set register_globals = On and I can't change the php.ini
file. Is there a way to unset all the imported get/post etc. variables at
the beginning of my script?

Thomas


Barring an .htaccess file, this should (probably) work.

<?php
foreach ($_GET as $current => $dummy) { unset($$current); }
foreach ($_POST as $current => $dummy) { unset($$current); }
foreach ($_COOKIE as $current => $dummy) { unset($$current); }
?>
References:
http://us3.php.net/manual/en/control...es.foreach.php
http://us3.php.net/manual/en/function.unset.php
http://us3.php.net/manual/en/languag...s.variable.php
--
-- Rudy Fleminger
-- sp@mmers.and.evil.ones.will.bow-down-to.us
(put "Hey!" in the Subject line for priority processing!)
-- http://www.pixelsaredead.com
Jul 17 '05 #20

P: n/a
Also sprach Tony Marston:
A professional web hosting company does not run an out-of-date
version of PHP.
Is 4.3.6 that outdated? (the latest is 4.3.7 according to www.php.net)
A professional web hosting company does *NOT* run with
register_globals ON.
I guess they can't afford to set it off now as many of their customers may
run scripts depending on that setting.
A professional web hosting company allows you to
override settings with an .htaccess file.
That they do. As far as I know I can more or less do anything in .htaccess.
A professional web hosting company will provide any exension that you
ask for.
If enough customers want a specific extension, they would certainly consider
providing it. But for a big hosting company it may not be that easy to
simply "give" an extension to *one* customer as it might cause problems with
their whole exisiting configuration. But of course that depends on the
extension in question.
If I payed more I could have any options I want.


Then pay for the options you need.


In their case this would mean something like renting my own server for
$a_lot_of_money. Anyway, is it easily possible to give each customer his
"own" php.ini file?
if (isset($_GET['variable'])) will tell you if the variable exists in
the $GET array.

If you set any variable within your script then that is under your
control.


Not necessarily. If my script is an include which is included in a lot of
other scripts (and not necessarily only used by myself) and given the
circumstances it is the most practical way if the calling script just has to
set some variables which the include will process and not all of those
variables are needed every time - then indeed it may not be under my control
if $variable is set by the calling script or imported. Anyway, I have now
modified my script so it will no longer "need" variables that might have
been imported - probably the best solution.
Jul 17 '05 #21

P: n/a
Also sprach FLEB:
Barring an .htaccess file, this should (probably) work.

foreach ($_GET as $current => $dummy) { unset($$current); }
foreach ($_POST as $current => $dummy) { unset($$current); }
foreach ($_COOKIE as $current => $dummy) { unset($$current); }


Ah, that looks elegant.
Thanks,
Thomas
Jul 17 '05 #22

This discussion thread is closed

Replies have been disabled for this discussion.