PHP security-global variables and registration

1. Global variable registration

If you can still remember the use of C to develop CGI programs in early WEB application development, You will definitely have a deep understanding of tedious form processing. When PHP's register_globals configuration option is turned on, complex raw form processing no longer exists and public variables are automatically created. It makes PHP programming easy and convenient, but it also brings security risks.

In fact, register_globals is innocent, it does not create vulnerabilities, and it requires developers to make mistakes. However, there are two main reasons why you must turn off register_globals when developing and deploying applications:

First, it increases the number of security vulnerabilities;

Second, it hides the source of the data, which goes against the developer’s responsibility to track data at all times.

All examples in this book assume that register_globals has been turned off and use super public arrays such as $_GET and $_POST instead. Using these arrays is almost as convenient as programming with register_globals turned on, and the slight inconvenience is worth it because it increases the security of your program.

Tips

If you must develop an application that is deployed in an environment where register_globals is turned on, it is important that you All variables must be initialized and error_reporting set to E_ALL(or E_ALL | E_STRICT) to warn about uninitialized variables. When register_globals is turned on, any use of uninitialized variables is almost always a security vulnerability.

The above is the content of PHP security-global variables and registration. For more related content, please pay attention to the PHP Chinese website (www.php.cn)!