Cyprich.com

Occasionally Relevant Insights from a Software Builder

By

Using Deprecated Code in PHP 5

If you don’t have the time or inclination to update your PHP4 code to PHP5, you can get the deprecated functions to work properly (especially the authentication code) by creating an .htaccess file and dropping it in the folder where your apps reside.

The .htaccess file should contain the following code:

php_flag register_globals on
php_flag register_long_arrays on

What this means is the following.

register_globals

When this is set on, any variables that you pass to a web page through a URL (i.e. www.website.com?var=123) or post data, or a cookie will be set as a global variable in the PHP script.

The php.net site states that “when on, register_globals will inject your scripts with all sorts of variables, like request variables from HTML forms. This coupled with the fact that PHP doesn’t require variable initialization means writing insecure code is that much easier.”

This is not a secure way to write software and the functionality was deprecated starting in PHP 4.2.0. The code needs to be replaced using $_GET, $_POST, $_COOKIE, or $_REQUEST.

register_long_arrays

This is another bad way of writing PHP code and also deprecated by the PHP team. To quote php.net again, this “tells PHP whether or not to register the deprecated long $HTTP_*_VARS type predefined variables. When On (default), long predefined PHP variables like $HTTP_GET_VARS will be defined. If you’re not using them, it’s recommended to turn them off, for performance reasons. Instead, use the superglobal arrays, like $_GET.”

You need to fix your code by using $_GET, $_SERVER, etc. as opposed to HTTP_GET_VARS, $HTTP_SERVER_VARS, etc.

Leave a Reply

Your email address will not be published. Required fields are marked *