/    Sign up×
Community /Pin to ProfileBookmark

Register Long Arrays question

Copy linkTweet thisAlerts:
Apr 14.2008

I’m updating an old web-based license key generator for some new products of ours (used only by our on-site tech guys). Anyway the original script used HTTP_POST_VARS instead of just _POST, so I just changed it all to _POST so I didn’t have to go turn on register_long_arrays in my php.ini .

Anyway the original author guy came by to check it out and saw I was using the “shorthand” (preferred method from what I’ve always heard) _POST vars, and he said something along the lines of “Oh, your disabling some of the new security features that way”. I’ve never heard of any security issues using $_POST vs $HTTP_POST_VARS, and google didn’t turn much up either. Personally, I don’t think theres really any difference and think he was just misinformed on the subject, but was wondering if maybe there is some merit to his statement.

to post a comment
PHP

4 Comments(s)

Copy linkTweet thisAlerts:
@NogDogApr 14.2008 — The only functional difference of which I am aware is that the $HTTP_* versions are not "super-global", while the $_POST type vars are. I.e.: $_POST is automatically available in any scope, whereas $HTTP_POST_VARS would have to be declared as global within a function/method definition before it can be accessed.
Copy linkTweet thisAlerts:
@TJ111authorApr 15.2008 — Thanks for the reply, I wasn't aware that you had to declare them as globals inside a function. But still, the script is so small, it's all a single inline script that generates these keys. Am I correct in assuming there is no "security" risk using just $_POST?
Copy linkTweet thisAlerts:
@NogDogApr 15.2008 — I am not aware of any such risk. Besides, as far as I know from all the php.net literature, the newer, "super-global" versions are the preferred method of accessing such external data, and as such should be used instead of $HTTP_* variables, and also instead of [url=http://www.php.net/register_globals]register_globals[/url] variables (preferably with register_globals disabled so that they are not even an option).

Also, neither the $HTTP_* variables nor register_globals will be available at all in PHP 6.
Copy linkTweet thisAlerts:
@TJ111authorApr 15.2008 — I am not aware of any such risk. Besides, as far as I know from all the php.net literature, the newer, "super-global" versions are the preferred method of accessing such external data, and as such should be used instead of $HTTP_* variables, and also instead of [url=http://www.php.net/register_globals]register_globals[/url] variables (preferably with register_globals disabled so that they are not even an option).[/QUOTE]
Thats exactly what I've heard too, and why I've always used them. This guy is just one of those programming gurus that's been doing it for decades so I figured he might have some merit to his statement. I'm just gonna stick with the superglobals because thats the recommended method, easiest method, and I can't see any security risks involved with it. Thanks for the input.
×

Success!

Help @TJ111 spread the word by sharing this article on Twitter...

Tweet This
Sign in
Forgot password?
Sign in with TwitchSign in with GithubCreate Account
about: ({
version: 0.1.9 BETA 6.17,
whats_new: community page,
up_next: more Davinci•003 tasks,
coming_soon: events calendar,
social: @webDeveloperHQ
});

legal: ({
terms: of use,
privacy: policy
});
changelog: (
version: 0.1.9,
notes: added community page

version: 0.1.8,
notes: added Davinci•003

version: 0.1.7,
notes: upvote answers to bounties

version: 0.1.6,
notes: article editor refresh
)...
recent_tips: (
tipper: @nearjob,
tipped: article
amount: 1000 SATS,

tipper: @meenaratha,
tipped: article
amount: 1000 SATS,

tipper: @meenaratha,
tipped: article
amount: 1000 SATS,
)...