Once upon a time… ah I’m kidding, it was a little over a year ago to date. This is just another post in the saga as to why I hated working on a certain browser game. I was just thinking about why removing the Register Globals in PHP 6 is going to be so awesome.
Where does this variable get its data?
Me: What is this one variable? Named $action. Is it from a form or the URL?
The Original Coder: I have no idea!
As usual, there aren’t any comments as to where the data came from. So yeah, a little bit of work and testing usually leads to the answer. Afterwards, it means updating the variable to using the correct super global. In which case, it meant updating 20-30 pages. Total time waster, since it shouldn’t have been needed in the first place.
Doesn’t work on PHP 5, so what?
Me: The current code doesn’t work on PHP 5!
Other Coder: Why upgrade if it works on PHP 4?
Yeah, saying that having Register Globals disabled on PHP 5 is a PHP bug is kind of missing the point.
Having spent a week “fixing” the code that depended on register globals, I was in discussion on trying to keep any new code from using it. It kept coming up on why PHP 5 was even needed. Which made me stop to think, was I imposing to much on the rest of the team? Nope, security was of great importance and could have prevented a major breach later.
Why upgrade? PDO, Mysqli, SPL, and I was really wanting to work with SPL at the time. I suppose I was kind of being a code Nazi with wanting to have the best tools available.
Register Globals just allows for such easy development, which is wrong. You should strive to code the right way, as much as possible. I usually allow for, “Eh. This code sucks and I hope no one sees it, but it works.” Only after months of trying to implement the “right way” and constant failure of trying to achieve that level.
Possibly Related Posts:
- Calibre Improvements
- DragonU Bug Tracker Dev – Milestone 1
- Dragon MVC
- Why I Contributed to WordPress
- DragonU DB Component
Well, it *is* about security, to some extent. When you just use the variable names, you never know where it comes from, which makes checking for security a big problem. If you know where the data comes from, you know how to treat it.
Of course, having register globals turned on in the first place is the biggest problem, because then even the variables that you deem “local” may actually have been injected into the application using GET. It should simply be turned off. And for that PHP6 will rule big time
Well, I simply stated that using the Super Globals improved security, but it still needed to be filtered and checked, which I left as implied. I’m not a l33t security master like Chris, so I just sort of half ass explain security measures as I hear them.
To be honest, I was able to convince one such developer and I’m looking forward to doing the code review. Another game (by another developer), I’m not so sure. Probably not bother doing a code review and just rewrite everything.
“PHP 6 will rule big time,” I agree, but also for other features. Have you seen the TextIterator? Damn sexy. I’m looking forward to that.