Using register_globals in PHP 5.5

Veröffentlicht am Veröffentlicht in PHP

From a security point of view, it’s not worth discussing the benefits and risks of using register_globals in PHP. It was just a matter of time the PHP team would completely remove this controversial feature. And so they did, register_globals had been deprecated as of PHP 5.3 and removed as of PHP 5.4.

Anyway, there are a few situations in which you would like to update to the latest PHP version (> 5.4) but not get lost of the register_globals feature – e.g. when you are not allowed to change the code of a script that requires register_globals = on or if it’s just too much (unpaid) work to find and edit all related code parts.

Assuming that you follow common security principles, this workaround will bring back register_globals functionality to PHP 5.4+:

  • Create an empty file register_globals.php in your PHP include directory (e.g. /usr/share/php).
  • Put this code into register_globals.php:
    <?php extract($_REQUEST); ?>
  • If you want to make more variables become global then simply add other global arrays, e.g.:
    <?php
    extract($_REQUEST);
    extract($_SERVER);
    extract($_SESSION);
    ?>
  • Add this directive to the end of your php.ini:
    auto_prepend_file = 'register_globals.php'
  • Restart Apache:
    sudo /etc/init.d/apache2 restart

    or

    sudo apachectl restart

3 Gedanken zu „Using register_globals in PHP 5.5

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert.