Results 1 to 6 of 6
  1. #1
    Join Date
    Aug 2007
    Location
    Gijón, Asturias, Spain
    Posts
    2,589
    Plugin Contributions
    30

    Default Naming a global variable the same as a SESSION, GET or POST variable

    Hi,
    to cut a load of headache short, I believe it is not allowed to use a global variable name that is the same as a SESSION, GET or POST variable.
    This is what I find experimentally and also (much later...) in the code...as far as I can see without really understanding it 100%:

    init_sanitize.php
    unset($GLOBALS[$key])
    Can someone confirm this is so and also why that is, for the non-experts.

    This has cropped up due to me using a code snippet from "elsewhere" that I would consider an expert source, hence my interest in knowing the reasons behind this.

    Or, do I just have to put this new variable name somewhere in ZC (extra_somethings.php) to allow it?

    thanks
    Steve
    Steve
    github.com/torvista: Spanish Language Pack, Google reCaptcha, Structured Data, Multiple Copy-Move-Delete, Image Checker, BackupMySQL Admin/Auto...

  2. #2
    Join Date
    Jul 2012
    Posts
    16,733
    Plugin Contributions
    17

    Default Re: Naming a global variable the same as a SESSION, GET or POST variable

    Quote Originally Posted by torvista View Post
    Hi,
    to cut a load of headache short, I believe it is not allowed to use a global variable name that is the same as a SESSION, GET or POST variable.
    This is what I find experimentally and also (much later...) in the code...as far as I can see without really understanding it 100%:

    init_sanitize.php


    Can someone confirm this is so and also why that is, for the non-experts.

    This has cropped up due to me using a code snippet from "elsewhere" that I would consider an expert source, hence my interest in knowing the reasons behind this.

    Or, do I just have to put this new variable name somewhere in ZC (extra_somethings.php) to allow it?

    thanks
    Steve
    Here is what I surmise is the situation and potential reasoning... BTW, it extends a little beyond just SESSION, GET, and POST, but also COOKIE.

    The function is about sanitization, keeping things clean... In the process of transferring data around the cart operations, it is ideal to
    1) minimize the amount of transferred data while also ensuring information is always up-to-date... If a variable is passed/stored using one of the above methods, then the intention is to work with it and then to potentially update anything that needs it. If a variable is passed/stored with/by any of the above four methods, then by keeping the global value set as it was, there would be two values for that variable (potentially the same or different) and at the new location that value could be incorrectly accessed.
    2) maintain independent variables throughout the system. This is where the use of multiple plugins can cause a clash if they each use the same variable name when passing from one location to the next, as such could cause a loss of the expected global variable setting moving through the system/code.

    Dunno, kinda' going off the cuff with my available time, but yes it looks init_sanitize does remove the GLOBAL version of a variable that is used in a SESSION, GET, POST or COOKIE when moving from page to page.## Ideally, if that value is passed to the next page, then it is used/set in the receiving page to be the value needed, but this also could result in unsetting global variables by passing the equivalent variable as part of the above.## I've been trying to find where there might be an automatic "reassignment" of such variables, but haven't had much luck, like if a value was passed in a GET (anyone can append the key to the uri), what is the effect of not receiving/having the GLOBAL value set when the page is processed? Seems like it could wreak havoc, but something about it also seems like it may be addressed and part of why so much has gone into the security of the software...

    Dunno if much help, but yes confirm that init_sanitize.php will unset the global version of the variable that is passed by any of the above four methods... If it is desired/necessary to not affect the GLOBAL version of the variable, then one would need to bypass the unset for each of the desired cases with something like:
    Code:
    if ($key != 'LeaveMeAlone') {
     unset($GLOBALS [$key]);
    }
    Where LeaveMeAlone is the key value to bypass... If this is to be one of many such as an array, then different functionality could be applied. It may be possible to apply such a bypass and check against a different variable that might be set in say an autoloaded function, depending on the load sequence, which I haven't looked into yet as an option. I am thinking though that this is all done for security's sake and to minimize other issues that could crop up by having both a GLOBAL and "local" variable each with the same name set at the same time...
    Last edited by mc12345678; 5 Dec 2015 at 03:20 PM.
    ZC Installation/Maintenance Support <- Site
    Contribution for contributions welcome...

  3. #3
    Join Date
    Aug 2007
    Location
    Gijón, Asturias, Spain
    Posts
    2,589
    Plugin Contributions
    30

    Default Re: Naming a global variable the same as a SESSION, GET or POST variable

    Seems like it could wreak havoc
    Yup. Easy self-destruct in one step.

    Maybe related to stopping people writing code based on register_globals being on...?

    I've already spent an embarrassing amount of time to find this out so no more suppositions...over to the experts!!
    Steve
    github.com/torvista: Spanish Language Pack, Google reCaptcha, Structured Data, Multiple Copy-Move-Delete, Image Checker, BackupMySQL Admin/Auto...

  4. #4
    Join Date
    Jun 2003
    Location
    Newcastle UK
    Posts
    2,896
    Blog Entries
    2
    Plugin Contributions
    2

    Default Re: Naming a global variable the same as a SESSION, GET or POST variable

    Hi

    As suggested by other posters here, the code in init_sanitize that will unset certain $GLOBAL values was done for security reasons, and was meant to 'imitate' setting register_globals=off.

    However register_globals was deprecated in php 5.3 and removed in php 5.4, so the benefit of the code in init_sanitize is moot.

    If you are using php 5.4 and therefore sure that register_globals is no longer used, then you can safely remove the code.
    In the short term and to make upgrading easier, you could use the overrides directory under the init_includes directory.

    We will address this in v155.

  5. #5
    Join Date
    Aug 2007
    Location
    Gijón, Asturias, Spain
    Posts
    2,589
    Plugin Contributions
    30

    Default Re: Naming a global variable the same as a SESSION, GET or POST variable

    you can safely remove the code.
    So to be completely clear, all eight instances of

    PHP Code:
    unset($GLOBALS[$key]); 
    in

    init_santize.php

    can be commented out for the moment?
    Steve
    github.com/torvista: Spanish Language Pack, Google reCaptcha, Structured Data, Multiple Copy-Move-Delete, Image Checker, BackupMySQL Admin/Auto...

  6. #6
    Join Date
    Jul 2012
    Posts
    16,733
    Plugin Contributions
    17

    Default Re: Naming a global variable the same as a SESSION, GET or POST variable

    Quote Originally Posted by wilt View Post
    Hi

    As suggested by other posters here, the code in init_sanitize that will unset certain $GLOBAL values was done for security reasons, and was meant to 'imitate' setting register_globals=off.

    However register_globals was deprecated in php 5.3 and removed in php 5.4, so the benefit of the code in init_sanitize is moot.

    If you are using php 5.4 and therefore sure that register_globals is no longer used, then you can safely remove the code.
    In the short term and to make upgrading easier, you could use the overrides directory under the init_includes directory.

    We will address this in v155.
    Quote Originally Posted by torvista View Post
    So to be completely clear, all eight instances of

    PHP Code:
    unset($GLOBALS[$key]); 
    in

    init_santize.php

    can be commented out for the moment?
    That's a method to accomplish what was said. The initial solution being to copy includes/init_includes/init_sanitize.php to includes/init_includes/overrides and then modify the file in that directory to eliminate the removal of the global variables when the equivalently named other type variable is passed...

    It could maybe be misinterpreted to mean completely remove all content of init_sanitize.php, but I wouldn't go so far as that considering we were primarily focused on the unsettng of the global variables. But if the other actions imitate register_globals=off functionality then yeah, that/those sections also.

    Just make sure your upgrade process includes review of the overrides folder at some point.
    ZC Installation/Maintenance Support <- Site
    Contribution for contributions welcome...

 

 

Similar Threads

  1. where can i add a global custom email variable
    By eVelt in forum General Questions
    Replies: 1
    Last Post: 19 Dec 2013, 06:22 PM
  2. v151 Global variable for total shipment weight
    By d0ugparker in forum Built-in Shipping and Payment Modules
    Replies: 2
    Last Post: 21 Sep 2013, 03:58 PM
  3. v150 Can I add another variable to the session?
    By tifischer in forum Templates, Stylesheets, Page Layout
    Replies: 2
    Last Post: 17 Jul 2013, 08:29 PM
  4. Replies: 8
    Last Post: 10 Jan 2010, 08:04 PM
  5. Why isn't my global variable working?
    By lat9 in forum General Questions
    Replies: 1
    Last Post: 1 Oct 2009, 03:58 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
disjunctive-egg
Zen-Cart, Internet Selling Services, Klamath Falls, OR