Dealing with legacy code which requires register globals on?

Forum Moderators: coopster

Message Too Old, No Replies

Dealing with legacy code which requires register globals on?

encyclo

3:25 am on Dec 31, 2007 (gmt 0)

I want to update a server from PHP4 to 5, and I have a modified third-party script which doesn't work when register globals is set to off. The original script is unmaintained by the original author so no upgrade is possible (and with the modifications, would have been difficult anyway).

Is there a quick and simple way of making such a script work without register globals when you are not familiar with the code?

I'm aware of the security implications too, which is why I would like to turn off register globals. The script itself is invisible to the end user as it uses mod_rewrite to generate static .htm URLs.

eelixduppy

8:59 am on Dec 31, 2007 (gmt 0)

There are a few different ways to create a register globals emulation. Perhaps the simplest form is something like this, which you'd have to add to the top of each script:


foreach($_GET AS $key => $value) {
 ${$key} = $value;
}
etc...

which you'd do for each of the superglobal arrays. You might also want to take a look at the user comments on the register globals [php.net] page for some additional ideas.

The only thing here is that it still presents you with the same security issue as having register globals enabled. The key to securing your application is making sure that the input data is properly cleaned and that all other variables are initialized to some starting value; if you think the application meets these precautions then you should have nothing to worry about. :)

mikesmith76

1:04 pm on Dec 31, 2007 (gmt 0)

As an alternative you may want to look at [php.net...]

I would only consider this a "quick fix" to get it working, can you alter the script yourself to make it work without register_globals enabled?

coopster

1:26 pm on Jan 1, 2008 (gmt 0)

You can easily modify the behavior with Apache config too ...

[webmasterworld.com...]

... perhaps just set it for that directory only is a quick solution (as you stated, you are already aware of security implications).

jatar_k

2:23 pm on Jan 1, 2008 (gmt 0)

when I moved from globals on to off in the past I used the extract method

you could add it at the script level, or if there are a ton of scripts then slip it into a global include, then you can work script by script to correct it.

if you need to extract more than one superglobal then make you you do them in the same order as they would have been extracted with globals on. This way you make sure that all variable collisions are the same as they were previously.

encyclo

4:27 pm on Jan 5, 2008 (gmt 0)

Thanks for all the replies, my biggest problem is that I'm not at all familiar with the workings of the script, which is spread over a dozen different files. Documentation is very limited, and the installed version has been extensively modified from the original anyway. All this adds up to a big headache for the person trying to debug it!

I have the advantage of some good security-by-obscurity, the generated pages don't have a .php extension, and PHP is not exposed in the server response.

Is it hopeless without having to disassemble the script so as to identify the problems? I'm going to start by attempting to emulate register globals on with the following script:

[webmasterworld.com...]

mikesmith76

6:18 pm on Jan 5, 2008 (gmt 0)

The code you have linked to should get your script working but I would strongly advise you to only use this on the scripts in question, do not be tempted to use this on all scripts written in the future. register_globals makes it difficult to see where data input is coming from, if it's sanitized etc etc