PHP 'get's' data without $_GET?

Question

I'm not sure if this is expected behavior. But if I host the following on my server

<?php
print $stackoverflow; 
?>

And I have another example.html which contains:

<form action="http://pinguincyb.org/roc/opdracht1/lawl.php" method="POST">
 <input type="text" name="stackoverflow" value="example">
 <input type="submit" value="Submit">
</form>

The page prints 'example', is this normal behavior? Shouldn't that data be unavailable until I would do something like

$stackoverflow = $_GET["stackoverflow"];

mehtod ? just to be precise...

Volkan
– Volkan

2013-04-05 11:53:57 +00:00
Commented Apr 5, 2013 at 11:53 — Volkan
– Volkan, Commented Apr 5, 2013 at 11:53
us.php.net/manual/en/security.globals.php

user1233508
– user1233508

2013-04-05 11:54:29 +00:00
Commented Apr 5, 2013 at 11:54 — user1233508
– user1233508, Commented Apr 5, 2013 at 11:54

BenMorel · Accepted Answer · 2014-05-21 21:10:05Z

6

It's old deprecated feature PHP called register globals. Even removed.

YOU SHOULD AVOID IT.

Read manual about Using Register Globals

If you have it you must disable it. You can do it in php.ini, .htaccess, httpd.conf or .user.ini (since PHP 5.3)

edited May 21, 2014 at 21:10

BenMorel

37.1k53 gold badges208 silver badges339 bronze badges

answered Apr 5, 2013 at 11:53

sectus

15.7k5 gold badges59 silver badges97 bronze badges

Sign up to request clarification or add additional context in comments.

1 Comment

user2248878 Over a year ago

Thank you for the answer, it was driving me crazy.

Wanderson Silva · Accepted Answer · 2013-04-05 11:55:42Z

0

This feature is old and deprecated. Avoid using it as it is unsecure

answered Apr 5, 2013 at 11:55

Wanderson Silva

1,2191 gold badge20 silver badges36 bronze badges

2 Comments

user2248878 Over a year ago

Yes, I actualy thought it would be a possible security issue, which is why i asked. Though I can't just turn it off, I'll bug my hoster about the config.

Wanderson Silva Over a year ago

sectus and I aswered almost the same time

Your Common Sense · Accepted Answer · 2013-04-05 12:12:57Z

0

On security.

As a matter of fact, for the well-written application it doesn't matter if this setting turned on or off.

A well-written application have to define all it's variables before use. If this rule followed, no register_globals will be able to do any harm.

If you have something like

$admin = FALSE;
if (check_admin()) {
    $admin = TRUE;
}

noone will be able to become admin with silly

/index.php?admin=1

even if register_globals is on.

Though one have to define ther variables anyway, just for the program's consistency.

That's the point.

answered Apr 5, 2013 at 12:12

Your Common Sense

158k42 gold badges226 silver badges374 bronze badges

Collectives™ on Stack Overflow

PHP 'get's' data without $_GET?

3 Answers 3

1 Comment

2 Comments

Comments

Your Answer

Hot Network Questions

Collectives™ on Stack Overflow

3 Answers 3

1 Comment

2 Comments

Comments

Your Answer

Sign up or log in

Post as a guest

Related