https://github.com/phpgt/protectedglobal

Protection against accidental use of superglobals.
https://github.com/phpgt/protectedglobal

global-variables object-oriented php-oop php-security phpgt security

Last synced: about 2 months ago
JSON representation

Protection against accidental use of superglobals.

• Host: GitHub
• URL: https://github.com/phpgt/protectedglobal
• Owner: phpgt
• License: mit
• Created: 2018-01-06T12:38:33.000Z (over 7 years ago)
• Default Branch: master
• Last Pushed: 2025-03-09T13:53:42.000Z (3 months ago)
• Last Synced: 2025-04-19T23:45:09.659Z (about 2 months ago)
• Topics: global-variables, object-oriented, php-oop, php-security, phpgt, security
• Language: PHP
• Homepage: https://www.php.gt/protectedglobal
• Size: 145 KB
• Stars: 0
• Watchers: 2
• Forks: 3
• Open Issues: 5
• Metadata Files:
  • Readme: README.md
  • Contributing: CONTRIBUTING.md
  • License: LICENSE

Awesome Lists containing this project

README

        
# Protect against accidental use of superglobals.

By default, PHP passes all sensitive user information around in superglobal variables, available for reading and modification in any code, including third party libraries. This directly violates a lot of the benefits of Object Oriented Programming, and can lead to unmaintainable code.

Assuming there are object oriented abstractions to the superglobals set up, this library can be used to replace all superglobals with objects that alert the developer of their protection and encapsulation, with an optional whitelist of superglobals to keep.

***



	





	





	





	





	



There are two functions on the static `Protection` class:

1. `removeGlobals` - pass in an array containing the global arrays you wish to empty. Take an optional whitelist of keys to keep.

2. `overrideInternals` - pass in all superglobal arrays to override with the `ProtectedGlobal` class.

## Example usage:

```php

// Before protecting, abstract the globals using an OOP mechanism of choice.

$input = new Input($_GET, $_POST, $_FILES);

// etc...

Protection::removeGlobals([$_ENV, $_SERVER, $_GET, $_POST, $_FILES, $_COOKIE, $_SESSION], ["get" => ["xdebug"]]);

Protection::overrideInternals($_GLOBALS, $_ENV, $_SERVER, $_GET, $_POST, $_FILES, $_COOKIE, $_SESSION);

// Now an exception will be thrown when trying to access a global variable:

$_SESSION["god-object"] = "Value I want to pass around globally";

```