Servage Magazine

Information about YOUR hosting company – where we give you a clear picture of what we think and do!

PHP global variables explained

Sunday, December 14th, 2014 by Servage

php-iconIn PHP you have a lot of predefined variables available to you. They are set as part of the core PHP code to facilitate a specific purpose or for pure convenience. These variables are often referenced to as “globals” or “global variables”. They are global in the sense that they can be accessed anywhere in any PHP script executed by the request.

The register globals issue

It is a very old story that the infamous “register globals” setting in PHP is a potential security risk. In its essence, the problem is that when the register globals mode is activated, any appended variables, for example a GET request, would be registered as global variables in the subsequent script execution.

// Sample URL with GET parameter appended

http://mydomain.com/index.php?something=bad

// Now the following variable would be available in the code
$something (containing the value "bad")

This principle made it possible for attackers to set any variable they wished, and the script would have to be very sure it sets defaults to all variables used internally, while otherwise being potentially compromised.

Thankfully most people nowadays are aware of this problem, and register globals is definitely a setting which is recommended to be disabled. You should never accept random parameters through a request. In contrary all user data should be subject to extreme scrutiny and validation before being trusted and used.

PHP global variables

Today PHP still comes with a set of global variables. Many of them are good and purposefully. For example $_POST, $_GET and $_REQUEST. They are auto populated with data from the request, meaning it is the data the webserver receives from the client. It can therefore not be trusted without being checked, but the fact that this data is available so easily in PHP scripts is a real convenience.

Below is a simple example how a HTML form field can end up providing data to the PHP global $_POST variable when submitted.

// HTML field
<input type="text" name="first_name">

// Corresponding POST data handling in PHP
$firstName = $_POST['first_name'];

The server environment

Using information about the server environment or the request itself is often needed to identify certain things to be used in your code. This can be done using the $_SERVER and $_REQUEST globals. They provide a preset list of values which tells you whatever you need to know about the environment or request.

Cookie and session data

Another example of purposeful PHP globals are $_SESSION and $_COOKIE. They both contain the corresponding data of the current session or all cookies transmitted with the request. Note that the globals are not designed to initialize or handle the session, nor to set new cookies. You need to manage the session and cookies using the relevant PHP functions.

Remember the scope

Whenever you are working with a script, remember the scope you are dealing with. In a global scope you can access any variable. Inside a specific function you cannot access external variables (except for PHP’s own globals). Therefore it is always necessary to think about where you define variables, and where they should be available. Otherwise you will run into problems with undesired results due to unavailable or unset variables (and a lot of debugging work ahead).

Sources for further reading

PHP global variables explained, 4.3 out of 5 based on 3 ratings
Categories: Tips & Tricks

Keywords:

You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

No comments yet (leave a comment)

You are welcome to initiate a conversation about this blog entry.

Leave a comment

You must be logged in to post a comment.