PHP :: Request #16308 :: unregister_globals() - a function that removes all vars by "register

Request #16308	unregister_globals() - a function that removes all vars by "register_globals"
Submitted:	2002-03-27 08:31 UTC	Modified:	2002-03-27 10:34 UTC
From:	tapken at engter dot de	Assigned:
Status:	Not a bug	Package:	Feature/Change Request
PHP Version:	4.1.2	OS:	Linux 2.4
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	tapken at engter dot de
New email:
PHP Version:		OS:

New Comment:

[2002-03-27 08:31 UTC] tapken at engter dot de

Hi all!

The new globals vars ($_GET, $_POST, etc) are very nice but they do not bring more security if register_globals = on. Regrettably, many server admins are unable to set "register_globals = off" due to the fact that many scripts would broke.

I would like to see a 'unregister_globals()'-Function (called at the beginning of a script) which parses the gpc-vars and unsets all normal vars with the same name (let's say it undoes register_globals' work).

It would be nice if somebody would inform me if he has such a patch.

bye, Roland

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2002-03-27 08:58 UTC] daniel@php.net

and how do you think unregister_globals() should be able to distinguish between variables set by "register_globals" and those by the user? this will more like lead to a big mess.

why not just switch it off?

[2002-03-27 09:01 UTC] daniel@php.net

you can set register_globals = off on a vhost base with php_value in your httpd.conf and slowly migrate each user to the new config.

[2002-03-27 09:05 UTC] tapken at engter dot de

For security reasions i can't use .htaccess for configuring php.

>and how do you think unregister_globals() should be able to distinguish
>between variables set by "register_globals" and those by the user? 

I wrote "called at the beginning of a script". At this time there should not be any variables created by the user.

[2002-03-27 09:45 UTC] mfischer@php.net

He wrote httpd.conf , NOT .htaccess

[2002-03-27 10:34 UTC] rasmus@php.net

So use a one-liner like:
foreach($_REQUEST as $name=>$val) unset($$name);

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sun Jul 06 05:01:37 2025 UTC