|
Getting Ready for VB3 - A Coding Tutorial
by
27 Jun 2003
My husband is a Visual Basic programmer (ick) and hes always after me to teach him web development. So, when I started working on a redesign of a modification for VBulletin 3, I told him that he could help me code it. To get him started, I installed a local version of PHP on his computer, and sent him to http://hotwired.lycos.com/webmonkey/01/48/index2a.html?tw=programming to take a tutorial. Shortly after he got started, he yelled for help. He was working on reading data from a form and printing it out to the screen and the data refused to print. I read the code several times, and everything seemed correct. After a couple of minutes of tinkering, I saw that data within his PHP script would print, but not the data being passed in from the form. Suddenly, in the deep recesses of my mind, a tiny lightbulb went on in my head, and I went to https://www.google.com/ to research Register Globals. By default, Register Globals is now set to OFF in PHP versions 4.2.0. In previous versions, it defaulted to ON. Therefore, things that we always assumed were just how PHP worked (such as being able to process form data easily) work a bit differently now. The official PHP documentation says:
What I really should have done was teach him how to code properly when Register Globals is off, and that is the point of this tutorial. Vbulletin 3 is coded to work with Register Globals off, and any modifications we write should be as well. So, its time for us to break some bad habits and learn how to write elegant, more secure code. One of the blessings, and curses, of PHP is that its easy and it forgives mistakes. Unlike other languages, PHP does not require us to initialize variables. This makes it cake to throw together a script or VBulletin modification in a matter of minutes. Unfortunately, the ability to code quickly and easily makes it just as easy to code sloppily. Just about all of us have been guilty of sloppy coding at one time or another. Its too easy to just throw together something that works and forget about form and style. Sloppy coding can create security holes though. Take this example: PHP Code:
if ($userid == 1) {
and whether they were an admin or not, they could possibly do some pretty naughty things. By initializing userid to something else, and by validating incoming data, we could prevent havoc and mayhem. PHP Code:
$userid = $_COOKIE['userid]; // initialize userid so that it contains a value from a cookie and only from a cookie
With Register Globals set to OFF, form data is retrieved by using the following syntax: $variable1 = $_POST['variable1']; or $variable1 = $_GET['variable1']; Whether you use $_POST or $_GET depends on the type of form used. Even if security isnt an issue, having Register Globals set to off can help stop bugs from creeping in. In VBulletin 2.x, it was possible to break the functionality of the board by using the wrong variable name in the phpinclude template. With Register Globals set to off, such problems might be prevented because variables will have to be intentionally passed into a script and wont just drift in on their own. Having Register Globals set to off wont cure the worlds ills, and it will take some time to learn. But, if you are going to release code modifications for VBulletin 3, you should master the concept and use it. More info: http://www.onlamp.com/pub/a/php/2003/03/20/php_security.html |