Last Updated: February 25, 2016
·
2.01K
· timfernihough

SOLVED: Form submission regression: Migration from PHP5.2 to PHP5.4

I recently migrated a site from a PHP 5.2.x instance to a new server running PHP 5.4.x. On first glance, the site worked perfectly. Walking through all the primary user flows; couldn't see any major errors; I felt great about how smoothly the migration went.

However, it became clear shortly after that it wasn't as smooth as I thought.

One of the primary user flows was a series of forms that collect and pass along non-secure data as hidden fields (I know, not a great implementation but its many years old now and everyone has a skeleton in the closet or two, haha). In the PHP submit action for these forms, I explicitly capture all the relevant indexes from the $_POST variable and write them to local variables.

For example:

$firstname = $_POST['firstname'];
$lastname = $_POST['lastname'];
$phone_number = $_POST['phone_number'];

Of course, my natural tendency at the time was to name the local variable the same as the index in the $_POST global array rather than looping through and doing something more dynamic.

I hadn't yet become aware of register_globals, which is a PHP directive that creates local variable equivalents of all indexes in HTTP response headers.

In this particular circumstance, I had collected around 15 or 16 indices individually but little did I know that I had missed one. In PHP5.2, the default value for the register_globals is ON. As a result, I actually never even had to compose the collection of that data and place it into local variables; it was all happening by default. Because register_globals was on, it silently picked up the one I had missed. It more or less ensured that $missing_variable was created from $POST['missing_variable'].

When I moved the site to PHP 5.4.x, it became obvious that one of my variable values was missing and not getting passed along in the flow. After troubleshooting, I couldn't for the life of me determine how the site had ever worked before because it was obvious I never collected this particular variable.

Then I stumbled upon this when perusing the PHP5.3 and PHP5.4 release notes: http://ca2.php.net/manual/en/security.globals.php. The register_globals feature has been DEPRECATED as of PHP 5.3.0 and totally REMOVED as of PHP5.4.0. As a result, PHP was no longer creating the local variable for me that I had missed. It only created the ones I defined explicitly.

I finished the day having learned a lesson from the ignorance of my younger days. :)