bombusbee.com ::: Article ::: PHP Tricks

PHP Tricks

November 30, 2001

::: Turning off register_globals :::

As I have been learning the ins and outs of PHP, I have come across some cool tricks that you can do when you are running PHP on Apache (as most of you are, I bet). In a hosted environment, one does not usually have access to the PHP.ini file. Oftentimes the default settings are not appropriate for what you are doing, so we need a way to change those settings for your application. Here is where Apache steps in.

Using the .htaccess file, you can set values for the PHP engine to use at runtime. It is really quite simple to do. The following is the format:

# in Apache files, pound-signs ("#") comment out a line... # to set a boolean value php_flag setting_name on|off # to set any other values php_value setting_name setting_value

The most common thing that I set is the register_globals flag. When register_globals is on, all variables from the query string (GET), all variables from forms (POST), and (I'm pretty sure) all variables from cookies are automatically available as local variables. That is, if you have a query string like "index.php?fuseaction=home.main&foo=bar&stan=cox", in the PHP page, you can access them as $fuseaction ("home.main"), $foo ("bar"), and $stan ("cox"), if register_globals is turned on. That may be just fine for your purposes, and it certainly can make your coding easier.

However, I think it is a little sketchy to allow users to directly affect variables in your script, so I ALWAYS turn it off. Like so:

php_flag register_globals off

Author's note (Jan 17, 2002): It appears that several people agree with this idea. Here is a great article about PHP security concerns. Also, in the latest release of PHP (4.1.x), the authors of PHP are deprecating the use of register_globals, and in future releases it will be off by default.

That one, to me, is a best practice kind of thing, but the rest of my examples are purely honey.

::: Global include directory :::

In my previous article on Forcing Users Through index.php, I talk about the use of an auto_prepend_file. That sets a file to be run before anything else when a PHP request is run. Just like it is the auto_append_file, which gets run, of course, at the end of the request. Set this like so:

php_value auto_prepend_file Application.php #php_value auto_append_file /path/to/file

One trick that I just recently figured out was that you can set a default include directory. This is much like the concept of a central Custom Tags directory for ColdFusion. When you set a centrally located include directory, when you include() a file in your script, PHP will look in the designated directory for the requested file. When you set this value, be sure to include the current directory in the list of include directories (i.e. "." means this directory, just like ".." means the parent directory):

php_value include_path .:/home/site/includes

To break that down, the ":" is a delimiter, so "." says to look in the current directory first, and "/home/site/includes" says to look in that absolute directory next for the requested include. In a Windows environment, use a ";" as a delimiter, so you can use drive letters for absolute directories, like so:

php_value include_path .;c:\home\site\includes

Putting the previous two tricks together solves the problem I brought up in the article on Forcing Users Through index.php. If you use this central include directory, you can put your Application.php file in there, and your auto_prepend_file will look for that file as if it were include()-ed before anything else was run. No need to name the auto_prepend_file absolutely — just place it in your global include directory!

::: Magic session maintenance! :::

One more cool trick that (as far as I know) is enabled by default is related to sessions. Sessions are most commonly maintained by setting a cookie in the users browser with some sort of session ID, or by passing that same session ID as a query string or form variable from page to page. Because there is the possibility of people turning off cookies in their browser, sites concerned that they may lose those users' sessions often rely on passing the session ID via form and query string variables. This can get somewhat tedious, making sure to append the session identifier for every link and form on your site. PHP has a smarter solution.

When the PHP setting for session.use_trans_sid is turned on, PHP will automagically append the session ID to all links and forms when cookies are disabled. And only when cookies are disabled! How cool is that? You just set your session variables and never have to worry about whether the session will be sustained because PHP takes care of that for you!

There are other great things you can do with the session, like creating your own session-handling engine, changing the location of the session files, etc. In fact, there is a lot of stuff you can configure yourself using PHP. See more at http://www.php.net/manual/en/configuration.php.