Share your understanding of PHP register_globals values ​​​​on and off_php basics

share your understanding of php register_globals values ​​​​on and off_php basics:

the value of register_globals can be set to: on or off. let’s give a piece of code to describe respectively. their differences.

code:

<form name="frmtest" id="frmtest" action="url">
<input type="text" 
name="user_name" id="user_name">
<input type="password" 
name="user_pass" id="user_pass">
<input type="submit" 
value="login">
</form>

when register_globals=off, when the next program receives you should use $_get['user_name'] and $_get['user_pass'] to accept the passed value. (note: when the method attribute of

is post, you should use $_post['user_name'] and $_post['user_pass'])

when register_globals=on, the next program can be used directly $user_name and $user_pass to accept values.

as the name suggests, register_globals means to register as a global variable, so when it is on, the passed value will be directly registered as a global variable for direct use, and when it is off, we need to go to a specific array go get it. therefore, friends who encounter the above problems of not being able to get the value should first check whether your register_globals setting matches your method of obtaining the value. (to check, you can use the phpinfo() function or check php.ini directly)

let’s see what’s wrong here?

look at the following php script, which is used to authorize access to a web page when the entered username and password are correct:

the code is as follows: p>

<?php
// 检查用户名及口令
if ($username == 'kevin' and $password == 
'secret')
$authorized = true;
?>
<?php if (!$authorized): 
?>
<!-- 未授权的用户将在这里给予提示 -->
<p>Please enter your username 
and password:</p>
<form action="<?=$PHP_SELF?>" 
method="POST">
<p>Username: <input type="text" name="username" 
/><br />
Password: <input type="password" name="password" 
/><br />
<input type="submit" 
/></p>
</form>
<?php else: ?>
<!-- 有安全要求的HTML内容 
-->
<?php endif; ?>

the problem with the above code is that you can easily gain access without providing the correct username and password. just add ?authorized=1 at the end of your browser's address bar. because php automatically creates a variable for every submitted value -- whether from a form submission, a url query string, or a cookie -- this will set $authorized to 1, so an unauthorized user can security restrictions can be exceeded.

the above is the basic content of sharing the understanding of php register_globals value on and off_php. for more related content, please pay attention to the php chinese website (www.php.cn)!