tags:

views:

287

answers:

5

I have inherited some legacy PHP code what was written back when it was standard practice to use register_globals. We know now that it is bad for security to have it enabled. The problem is how do I find all the places in the code where I need to use $_GET or $_POST? My only thought was to set the error reporting to warn about uninitialized variables and then test each part of the site. Is there an easier way? Will I have to test each code path in the site or will PHP give a warnings on a file basis?

A: 

I know that there's a way to set php.ini values for that script with a certain command, I thus went looking and found this too - Goto last post on page

I also found the following post which may be of use - Goto last post on the page

I will add to this more if nobody has found an answer but I must now catch a train.

Teifion
+3  A: 

If you set error reporting to E_ALL, it warns in the error log about undefined variables complete with filename and line number (assuming you are logging to a file). However, it will warn only if when it comes across an undefined variable, so I think you will have to test each code path. Running php from the command line doesn't seem to help also.

There is a debugging tool named xdebug, haven't tried it, but maybe that can be useful?

Marie Fischer
A: 

@Teifion Although these will both solve your problems, it is still less secure then actually fixing the code.

Unkwntech
+2  A: 

I wrote a script using the built-in Tokenizer functions. Its pretty rough but it worked for the code base I was working on. I believe you could also use CodeSniffer.

grom
A: 

You could manually 'fake' the register globals effect but add some security. (I partly grabbed this from the osCommerce fork called xoops)

//  Detect bad global variables
$bad_global_list = array('GLOBALS', '_SESSION', 'HTTP_SESSION_VARS', '_GET', 'HTTP_GET_VARS', '_POST', 'HTTP_POST_VARS', '_COOKIE', 'HTTP_COOKIE_VARS', '_REQUEST', '_SERVER', 'HTTP_SERVER_VARS', '_ENV', 'HTTP_ENV_VARS', '_FILES', 'HTTP_POST_FILES');
foreach ($bad_global_list as $bad_global ) {
    if ( isset( $_REQUEST[$bad_global] ) ) {
        die('Bad Global');
    }
}

//  Make global variables
foreach ($_REQUEST as $name -> $value) {
    $$name = $value; // Creates a varable nammed $name equal to $value.
}

Though you'd want to tweak it to make your code more secure, at least by adding your global configuration variables (like the path and base url) to the bad globals list.

You could also use it to easily compile a list of all used get/post variables to help you eventually replace all occurrences of, say $returnurl, with $REQUEST['return_url];

Eric Goodwin