Difference in how 500 and 501 handle $_POST variables

(Daniel) #1

Please forgive me if this is basic knowledge, but I am wondering if there is a difference in how 500 and 501 handle POST variables. In 500, the code seemed to allow the calling of $_POST variables by their name: i.e. $_POST[‘variable’] and $variable would hold the same value. In 501 I see the $_POST[‘variable’] and $variable are different because $variable is equal to NULL.

There is some custom code that took advantage of this ability in 500 but this is causing issues in 501. Is there a setting in globals.php that I am overlooking? I’m assuming that this isn’t a PHP version thing but it could be a setting somewhere that I am unaware of.

Thanks for any input!!

(Stephen Nielson) #2

@growlingflea do you know what version of PHP you were running 5.0.0 on? Was it by chance <= 5.3.0? Was your custom code assuming that register_globals was turned on? With the code all being on PHP version >= 7.1 register_globals is not available and so all the super globals are not populated.

You can read up on it here: https://www.php.net/manual/en/security.globals.php

What you talk about in your post sounds a lot like register globals to me.

(Brady Miller) #3

hi @adunsulag and @growlingflea ,

@adunsulag is on the right track. Prior versions of OpenEMR had a workaround to basically allow register globals. Over several years, we eliminated this functionality from scripts one script at a time. We finally reached a point during development of 5.0.1 where we completely removed that workaround (which was a big security vulnerability):
Removed mimicking of register_globals (#743) · openemr/openemr@d4a808d · GitHub
(search for extract in that commit and you will see what the prior work around was doing, which no longer remains in the codebase)

(Brady Miller) #4

Just to get an idea of what kind of security vulnerability allowing register globals is. Imaging being able to modify any variable you want in the script by simply passing your bad actor variable to the script as a get/post parameter…

(Daniel) #5

Ah, makes sense. In my custom code I’ve always called variables using the $_POST but I did see littered throughout the code developers who didn’t. I can imagine that some of the bugs I’ve come across are due to this. Thanks for the input. I hope others can gain insight from this thread.