5

I know that the use of $HTTP_GET_VARS is deprecated but what about using $GLOBALS['HTTP_GET_VARS']? Is that array key likely to disappear in the future?

I basically have the following all over a legacy project that I need to integrate with a CMS and I don't really want to have to update it unless strictly necessary.

function table_manager_import_vars($var) {
   $vars = explode(",", $var);

   foreach($vars AS $var) {
       switch ($var) {
           case "G":
               $var = "HTTP_GET_VARS";
               break;
           case "P":
               $var = "HTTP_POST_VARS";
               break;
           case "C":
               $var = "HTTP_COOKIE_VARS";
               break;
           case "S":
               $var = "HTTP_SESSION_VARS";
               //session_start();
               break;
           case "E":
               $var = "HTTP_SERVER_VARS";
               break;
       }
       if (isset($GLOBALS[$var])) {
           if (is_array($GLOBALS[$var])) {
               foreach($GLOBALS[$var] AS $var1 => $value) {
                   if ($var1 != $var) {
                       $GLOBALS[$var1] = $value;
                   }
               }
           }
       }
   }
}
// called like this
table_manager_import_vars("G,P,C,S,E");

And yes you guessed it there is a function like this for every aspect of the project just with a different name each time!!

Treffynnon
  • 21,365
  • 6
  • 65
  • 98

3 Answers3

12

Your question:

Is using $GLOBALS['HTTP_GET_VARS'] deprecated?

Answer:

Yes it is.

http://www.php.net/manual/en/reserved.variables.get.php

This page explicitly states that $HTTP_GET_VARS has been deprecated and you should use $_GET instead.

$HTTP_GET_VARS is the same thing as $GLOBALS['HTTP_GET_VARS']. And therefore it is also deprecated for the reason. (note that all variables defined at the global scope can be referenced using $GLOBALS['variablename'])

By the way: When it comes to working with legacy code that uses $HTTP_GET_VARS, I know you said you want to avoid changing the code if you can avoid it, but it's worth pointing out that code of this age is likely to have big issues when run in a modern PHP installation, as older versions of PHP would have assumed things like magic_quotes being in use. If you run the same code in a newer version of PHP you won't have magic_quotes, so you should make sure the data is escaped properly.

Looking at the whole code that you've got there, it looks like it's trying to copy all the variables in the various HTTP_***_VARS arrays into the globlal scope. This is functionality that was done automatically in really old versions of PHP, but was dropped because it causes massive security issues. I seriously recommend dropping that whole bit of code and converting everying to use $_GET instead. You might want to google for register_globals for more info on why this is a bad thing.

Spudley
  • 166,037
  • 39
  • 233
  • 307
  • 4
    You missed the point that the OP didn't know `$GLOBALS['HTTP_GET_VARS']` and `$HTTP_GET_VARS` are one and the same. – Lightness Races in Orbit May 18 '11 at 13:00
  • 1
    @Tomalak - heh; yea, I'll add that in. :-) – Spudley May 18 '11 at 13:03
  • I agree with all these points, but due to the proliferation of this code all through the legacy project and the old enemy of budgets it is unlikely to be changed. This code is hidden behind a couple of layers of auth on an extranet so it is unlikely to cause too many issues from a security point of view. – Treffynnon May 18 '11 at 13:43
  • @Treffynnon - Basically what you've got here is PHP4 code trying to emulate a PHP3 feature. Bringing this into a PHP5 system is going to give you some serious headaches - it's going to be a pain to get it working in the first place, maintenance is going to be an absolute bitch (trust me, I've been there when it comes to legacy PHP code!), and regardless of any other security layers, if this code is accessible on the internet, you will have security problems. – Spudley May 18 '11 at 14:02
7

$HTTP_GET_VARS and $GLOBALS['HTTP_GET_VARS'] are the same thing. $HTTP_GET_VARS is a superglobal, and superglobals can be (but don't have to be) accessed via $GLOBALS.

Also, that code is a huge security hole.

Ignacio Vazquez-Abrams
  • 776,304
  • 153
  • 1,341
  • 1,358
  • 1
    Actually `$HTTP_GET_VARS` is *not* a superglobal. `$_GET`, which replaces it, *is* a superglobal. – Spudley Sep 24 '11 at 16:54
4

They're the same.

$HTTP_GET_VARS is $GLOBALS['HTTP_GET_VARS'], and as such "both" are deprecated in favour of $_GET.

Lightness Races in Orbit
  • 378,754
  • 76
  • 643
  • 1,055