register_globals fix [closed]

问题

As it currently stands, this question is not a good fit for our Q&A format. We expect answers to be supported by facts, references, or expertise, but this question will likely solicit debate, arguments, polling, or extended discussion. If you feel that this question can be improved and possibly reopened, visit the help center for guidance.

Closed 6 years ago.

I have a client who has an online shop he would like me to host. The site was written by another develop and uses register globals.

When I uploaded it to my server it told me it required register_globals to be enabled, I checked the .htaccess file and it was. When I asked the hosting company they told me it had been dreprecated and wouldn't run on the server. I'm not sure what parts of the code are dependant on it as I've not looked into the progamming too closely, I was only intending to host it.

Is there a quick fix or am I going to have to take the code apart and fix it with up to date alternatives?

回答1:

If the code uses register globals, and hasn't been updated to not use it, then it was probably written a very long time ago. This means that:

1. it's almost certain to have massive security holes;
2. it likely uses other PHP functionality that's been deprecated and/or removed;
3. it's probably very messy spaghetti code, and
4. it's going to be a bitch to rewrite to fix all the issues.

My advice is to just find a modern shopping cart software package and help him set up his shop using that instead of trying to keep his existing ancient piece of software running. It may seem like more work, but it'll be a lot less hassle in the long run for everyone involved.

If you must fix up his existing code (ie if he begs you and offers to pay you a lot for the work), here's how to deal with register globals:

Register globals takes all the variables entered into the POST or GET arguments, and creates them as simple variables in the global namespace. So instead of $_GET['id'], you just get $id.

If the program is reasonably well written and documented, it may not be too hard to see what variables it is expecting. In that case, it's not to hard to sustitute $_REQUEST for the relevant variables; job done.

But a lot of (uh, most) old PHP code just throws global variables around without paying much attention to them. Throw in a bunch of includes, hundreds of lines of code without a function() declaration in site, and interwoven PHP and HTML code, possibly with some generate Javascript thrown in, and you often have a mess that is completely impenetrable to anyone except the original author (and sometimes not even them).

If the code looks like this, you will be a very brave man to attempt to repair it. You should just accept that it is unsalvageable, and walk away. I have had jobs in the past where I've been required to fix up old code like this, and trust me, you can sink months (or even years) of time into it before you start getting somewhere. In that kind of time scale, you might as well have written a whole new system from scratch.

回答2:

A real ugly but very quick fix is something like the following:

foreach (array('_GET', '_POST', '_COOKIE', '_SERVER') as $_SG) {
    foreach ($$_SG as $_SGK => $_SGV) {
        $$_SGK = $_SGV;
    }
}

Preferably at the top of any php script that can be executed, BEFORE any other code.

Please note, that this is not something I would really recommend. Please try to persuade your client(s) that they should get something better. If code requires register_globals, chances are that it's as insecure as hell...

来源：https://stackoverflow.com/questions/14141631/register-globals-fix