Results 1 to 2 of 2
  1. #1

    What to use in place of $GLOBALS?

    I read where $GLOBALS is not safe so I was wondering how can I make these two functions work without $GLOBALS?

    Code:
    function script_die($error = '')
    {
    	$sql_error = mysql_error();
    	
    	if( $GLOBALS['db'] )
    	{
    		mysql_close($GLOBALS['db']);
    	}
    	if( !empty( $sql_error ) )
    	{
    		$error .= '<br><br>Error:<br>' . $sql_error;
    	}
    	die($error);
    }
    
    
    function query_db($sql)
    {
    	$result = mysql_query($sql, $GLOBALS['db']);
    
    	if( DEBUG )
    	{
    		if( !$result )
    		{
    			script_die("SQL Error!<br><br>Query:<br>$sql");
    		}
    	}
    	return $result;
    }
    If you could rewrite them so that they still work without globals that would be great. Thanks!

    EDIT

    Or do I just find the value of $GLOBALS['db'] and replace it with the variable located in the included file?
    Last edited by lexington; 03-08-2008 at 01:15 AM.

  2. #2
    Join Date
    Aug 2001
    Location
    Central USA
    Posts
    200
    $GLOBALS is really just an array of all variables used in the global namespace. Using $GLOBALS isn't inherently insecure. It's not the same thing as register_globals which contain user input.

    Using $GLOBAL['db'] inside a function is the same thing as declaring "global $db" inside the function and then using the $db variable:
    PHP Code:
    function query_db($sql)
    {
        
    $result mysql_query($sql$GLOBALS['db']);
        
    // ... etc

    Is the same thing as:
    PHP Code:
    function query_db($sql)
    {
        global 
    $db
        $result 
    mysql_query($sql$db);
        
    // ... etc

    It's just a way to pull a dependency inside the function without passing it in as a function argument. So while this isn't really a huge security issue like 'register_globals' is, it's still not good programming practice because it makes the code harder to follow by not explicitly declaring dependencies and makes it much harder to re-use.

    You SHOULD be passing in all dependencies with the function arguments like so:
    PHP Code:
    function query_db($sql$db)
    {
        
    $result mysql_query($sql$db);
        
    // ... etc

    What I mean by that is that if you were to copy and paste the function into another program, you wouldn't be able to just pass in the DB connection as an argument with the code you have shown. You would have to name it $db also, and you would also have to place it in the global namespace, because that is what this function expects. THAT is why using $GLOBALS is bad, and THAT is why it should never be done. It makes dependencies ambiguous, and that is always a huge hassle when you attempt to re-use the same functions later.
    Last edited by Czaries; 03-08-2008 at 04:28 PM. Reason: Clarification
    InvoiceMore - Online Billing & Invoicing
    phpDataMapper - Object-Oriented PHP5 Data Mapper ORM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •