Why do many programmers abstain from using global variables?Export env variables on the server?...
Map a function that takes arguments in different levels of a list
Is there anything in the universe that cannot be compressed?
How do we know if a dialogue sounds unnatural without asking for feedback?
What is the converted mana cost of land cards?
Some questions about Lightning and Tor
Why don't they build airplanes from 3D printer plastic?
What is the most likely cause of short, quick, and useless reviews?
Would there be balance issues if I allowed opportunity attacks against any creature, not just hostile ones?
Taking the first element in a list of associations
Importance of electrolytic capacitor size
When making yogurt, why doesn't bad bacteria grow as well?
How to use multiple criteria for -find
In Toy Story, are toys the only inanimate objects that become alive? And if so, why?
How do you manage to study and have a balance in your life at the same time?
I have two helper functions that are the exact same, one executes and one doesn't. How come?
Why would a Intel 8080 chip be destroyed if +12 V is connected before -5 V?
How to annoymously report the Establishment Clause being broken?
How do I stop making people jump at home and at work?
Ideal characterization of almost convergence
Are manifolds admitting a circle foliation covered by manifolds with a (non-trivial) circle action?
Function of the separated, individual solar cells on Telstar 1 and 2? Why were they "special"?
Can my UK debt be collected because I have to return to US?
Is it rude to ask my opponent to resign an online game when they have a lost endgame?
How do you get the angle of the lid from the CLI?
Why do many programmers abstain from using global variables?
Export env variables on the server? (Shellshock)Why is it a terrible idea to implement restrictive measures in .bashrc?What are some vulnerabilities of environment variables (on any platform)?Azure Key Vault vs Azure Environment Variables - Which is the right way?Plain text Rails environment variables and securityWhat security advantages does Hashicorp Vault have over storing secrets (passwords, API keys) in environment variables?Is it unsafe to use environmental variables for secret data?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ margin-bottom:0;
}
I get the impression that it is a programming best practice to create variables in specific scopes (like a function scope) and avoid global scope to make things more modular and better organized. However I'm not sure if there is also a security issue.
Here is an example of global variables in Bash that worked for me fine more than a year:
cat <<-EOF >> "$HOME"/.profile
set -x
complete -r
export war="/var/www/html" # Web Application Root;
export dmp="phpminiadmin" # Database Management Program;
export -f war
war() {
cd $war/
}
EOF
source "$HOME"/.profile 2>/dev/null
I have never had a problem with global variables in Bash or JavaScript, most likely because I only write small scripts for personal usage on minimalist environments.
Why do many programmers avoid using global variables?
Are there any examples of security breaches caused by using global variables?
javascript access-control bash environment-variables breach
edited 7 hours ago
Conor Mancone
14.4k6 gold badges43 silver badges60 bronze badges
asked 9 hours ago
JohnDoeaJohnDoea
442 gold badges6 silver badges20 bronze badges
add a comment |
I get the impression that it is a programming best practice to create variables in specific scopes (like a function scope) and avoid global scope to make things more modular and better organized. However I'm not sure if there is also a security issue.
Here is an example of global variables in Bash that worked for me fine more than a year:
cat <<-EOF >> "$HOME"/.profile
set -x
complete -r
export war="/var/www/html" # Web Application Root;
export dmp="phpminiadmin" # Database Management Program;
export -f war
war() {
cd $war/
}
EOF
source "$HOME"/.profile 2>/dev/null
I have never had a problem with global variables in Bash or JavaScript, most likely because I only write small scripts for personal usage on minimalist environments.
Why do many programmers avoid using global variables?
Are there any examples of security breaches caused by using global variables?
javascript access-control bash environment-variables breach
edited 7 hours ago
Conor Mancone
14.4k6 gold badges43 silver badges60 bronze badges
asked 9 hours ago
JohnDoeaJohnDoea
442 gold badges6 silver badges20 bronze badges
5
"Why many programmers abstain from using global variables?" - because it is much easier to understand and verify small code snippets which have no side effects. When using global variables you always have to be aware which part of the code might change it in what way and what the effect will be - which is really hard with a larger code base and more than trivial global variables without obvious behavior (i.e. some global debug variable might be fine). See also Global Variables Are Bad.
– Steffen Ullrich
8 hours ago
Also threading issues otherwise concurrency issues ensue
– goodguys_activate
7 hours ago
Global variables are more common than you think. Java static fields are effectively globals and widely used. They are fine for constants, or things just assigned during initialization. The problems come with mutable globals.
– paj28
6 hours ago
A more general idea of why developers hate global variables is because they can cause "action at a distance" en.wikipedia.org/wiki/…
– Steve Sether
45 mins ago
add a comment |
I get the impression that it is a programming best practice to create variables in specific scopes (like a function scope) and avoid global scope to make things more modular and better organized. However I'm not sure if there is also a security issue.
Here is an example of global variables in Bash that worked for me fine more than a year:
cat <<-EOF >> "$HOME"/.profile
set -x
complete -r
export war="/var/www/html" # Web Application Root;
export dmp="phpminiadmin" # Database Management Program;
export -f war
war() {
cd $war/
}
EOF
source "$HOME"/.profile 2>/dev/null
I have never had a problem with global variables in Bash or JavaScript, most likely because I only write small scripts for personal usage on minimalist environments.
Why do many programmers avoid using global variables?
Are there any examples of security breaches caused by using global variables?
javascript access-control bash environment-variables breach
edited 7 hours ago
Conor Mancone
14.4k6 gold badges43 silver badges60 bronze badges
asked 9 hours ago
JohnDoeaJohnDoea
442 gold badges6 silver badges20 bronze badges
I get the impression that it is a programming best practice to create variables in specific scopes (like a function scope) and avoid global scope to make things more modular and better organized. However I'm not sure if there is also a security issue.
Here is an example of global variables in Bash that worked for me fine more than a year:
cat <<-EOF >> "$HOME"/.profile
set -x
complete -r
export war="/var/www/html" # Web Application Root;
export dmp="phpminiadmin" # Database Management Program;
export -f war
war() {
cd $war/
}
EOF
source "$HOME"/.profile 2>/dev/null
I have never had a problem with global variables in Bash or JavaScript, most likely because I only write small scripts for personal usage on minimalist environments.
Why do many programmers avoid using global variables?
Are there any examples of security breaches caused by using global variables?
javascript access-control bash environment-variables breach
javascript access-control bash environment-variables breach
edited 7 hours ago
Conor Mancone
14.4k6 gold badges43 silver badges60 bronze badges
asked 9 hours ago
JohnDoeaJohnDoea
442 gold badges6 silver badges20 bronze badges
edited 7 hours ago
Conor Mancone
14.4k6 gold badges43 silver badges60 bronze badges
asked 9 hours ago
JohnDoeaJohnDoea
442 gold badges6 silver badges20 bronze badges
edited 7 hours ago
Conor Mancone
14.4k6 gold badges43 silver badges60 bronze badges
edited 7 hours ago
Conor Mancone
14.4k6 gold badges43 silver badges60 bronze badges
edited 7 hours ago
Conor Mancone
14.4k6 gold badges43 silver badges60 bronze badges
14.4k6 gold badges43 silver badges60 bronze badges
asked 9 hours ago
JohnDoeaJohnDoea
442 gold badges6 silver badges20 bronze badges
asked 9 hours ago
JohnDoeaJohnDoea
442 gold badges6 silver badges20 bronze badges
asked 9 hours ago
JohnDoeaJohnDoea
442 gold badges6 silver badges20 bronze badges
442 gold badges6 silver badges20 bronze badges
5
"Why many programmers abstain from using global variables?" - because it is much easier to understand and verify small code snippets which have no side effects. When using global variables you always have to be aware which part of the code might change it in what way and what the effect will be - which is really hard with a larger code base and more than trivial global variables without obvious behavior (i.e. some global debug variable might be fine). See also Global Variables Are Bad.
– Steffen Ullrich
8 hours ago
Also threading issues otherwise concurrency issues ensue
– goodguys_activate
7 hours ago
Global variables are more common than you think. Java static fields are effectively globals and widely used. They are fine for constants, or things just assigned during initialization. The problems come with mutable globals.
– paj28
6 hours ago
A more general idea of why developers hate global variables is because they can cause "action at a distance" en.wikipedia.org/wiki/…
– Steve Sether
45 mins ago
add a comment |
5
"Why many programmers abstain from using global variables?" - because it is much easier to understand and verify small code snippets which have no side effects. When using global variables you always have to be aware which part of the code might change it in what way and what the effect will be - which is really hard with a larger code base and more than trivial global variables without obvious behavior (i.e. some global debug variable might be fine). See also Global Variables Are Bad.
– Steffen Ullrich
8 hours ago
Also threading issues otherwise concurrency issues ensue
– goodguys_activate
7 hours ago
Global variables are more common than you think. Java static fields are effectively globals and widely used. They are fine for constants, or things just assigned during initialization. The problems come with mutable globals.
– paj28
6 hours ago
A more general idea of why developers hate global variables is because they can cause "action at a distance" en.wikipedia.org/wiki/…
– Steve Sether
45 mins ago
5
5
"Why many programmers abstain from using global variables?" - because it is much easier to understand and verify small code snippets which have no side effects. When using global variables you always have to be aware which part of the code might change it in what way and what the effect will be - which is really hard with a larger code base and more than trivial global variables without obvious behavior (i.e. some global debug variable might be fine). See also Global Variables Are Bad.
– Steffen Ullrich
8 hours ago
"Why many programmers abstain from using global variables?" - because it is much easier to understand and verify small code snippets which have no side effects. When using global variables you always have to be aware which part of the code might change it in what way and what the effect will be - which is really hard with a larger code base and more than trivial global variables without obvious behavior (i.e. some global debug variable might be fine). See also Global Variables Are Bad.
– Steffen Ullrich
8 hours ago
Also threading issues otherwise concurrency issues ensue
– goodguys_activate
7 hours ago
Also threading issues otherwise concurrency issues ensue
– goodguys_activate
7 hours ago
Global variables are more common than you think. Java static fields are effectively globals and widely used. They are fine for constants, or things just assigned during initialization. The problems come with mutable globals.
– paj28
6 hours ago
Global variables are more common than you think. Java static fields are effectively globals and widely used. They are fine for constants, or things just assigned during initialization. The problems come with mutable globals.
– paj28
6 hours ago
A more general idea of why developers hate global variables is because they can cause "action at a distance" en.wikipedia.org/wiki/…
– Steve Sether
45 mins ago
A more general idea of why developers hate global variables is because they can cause "action at a distance" en.wikipedia.org/wiki/…
– Steve Sether
45 mins ago
add a comment |
2 Answers
2
active
oldest
votes
Boycott Globals!
I'm stealing from @Steffen Ullrich's comment, but the main issue with global variables is that they make it difficult to keep code well organized and maintainable. His link is a fine one, but you won't have any trouble finding countless articles about the problems with global variables online.
When you use global variables, it becomes easy to lose track of where in your program the variable gets modified, especially if you don't have a simple linear flow. As a result global variables can work perfectly fine in small scripts, but can cause massive headaches as an application begins to scale. This might leave you with the impression that it is fine in very small applications, but since applications usually only grow over time, and things that start of temporary become permanent, it's really just a bad idea to use them at all. Why start on the wrong foot, when it is so easy to use properly scoped variables?
Security
Using global variables doesn't have any direct implications for security, but they do make it easier to end up with security issues:
If one loses track of where its data comes from and modifies a function in file A but forgets that the utilized variable comes from user input in file B, it might end up doing insecure things on user input without proper safe guards.
Technically this is possible in any application, but global variables can certainly make it easier.
Global Variables == Death
I don't know of any breaches that happened specifically because of global variables, but it's easy to argue that the use of global variables has literally killed people, so I think it's reasonable to just never use them.
edited 4 hours ago
JohnDoea
442 gold badges6 silver badges20 bronze badges
answered 7 hours ago
Conor ManconeConor Mancone
14.4k6 gold badges43 silver badges60 bronze badges
Hello from the OP; thank you - please review my edit; thanks,
– JohnDoea
5 hours ago
Also, I believe the security chapter I edited needs a more specific example.
– JohnDoea
5 hours ago
If one loses track of where its data comes from and modifies a function in file A but forgets that the utilized variable comes from user input in file B, it might end up doing insecure things on user input without proper safe guards.Please share an example...
– JohnDoea
5 hours ago
Yet again, one more subtle edit suggested; I appreciate your time so far; please have a look on this one too.
– JohnDoea
4 hours ago
the use of global variables has literally killed people, so I think it's reasonable to just never use them.By that logic, we should never use cars.
– Ray
12 mins ago
add a comment |
Please compare the following pieces of code:
1)
/file.php:
$newconn = new PDO('mysql:host=localhost;charset=utf8mb4;','username','password');
2)
../secrets.php:
$mysqlusername = 'username';
$mysqlpassword = 'password';
/file.php:
require_once('../secrets.php');
$newconn = new PDO('mysql:host=localhost;charset=utf8mb4;',$mysqlusername,$mysqlpassword);
3
../secrets.php:
function pdoconn(i) {
$mysqlusername = ['username1','username2'];
$mysqlpassword = ['password1','password2'];
$conn = new PDO('mysql:host=localhost;charset=utf8mb4;',$mysqlusername[i],$mysqlpassword[i]);
return $conn;
}
/file.php:
require_once('../secrets.php');
$newconn = pdoconn(0);
Example 1 is out of the question - incorrect configuration on production servers could end up showing sensitive parameters to unintended parties.
Example 2 is better, but those variables are available throughout the application, and modifiable, which could result in errors.
Example 3 keeps things very organised and transferable.
It can be modified to use globals if ../secrets.php instead was:
../secrets.php:
$mysqlusername = 'username';
$mysqlpassword = 'password';
function pdoconn() {
$conn = new
PDO('mysql:host=localhost;charset=utf8mb4;',$GLOBALS['mysqlusername'],$GLOBALS['mysqlpassword']);
return $conn;
}
And I think that demonstrates why a global doesn't make sense most of the time in quite a succinct way.
Summary:
As for security breaches using global variables (and why I wrote these examples in PHP), there was quite a (at the time) controversial change in PHP 4.2.0 where register_globals was turned on to off. I can't find any articles now, as this change was made in 2002, but I do seem to remember it being responsible for a few breaches at the time. Copying directly from the manual, there is a very clear example of vulnerable code:
<?php
// define $authorized = true only if user is authenticated
if (authenticated_user()) {
$authorized = true;
}
// Because we didn't first initialize $authorized as false, this might be
// defined through register_globals, like from GET auth.php?authorized=1
// So, anyone can be seen as authenticated!
if ($authorized) {
include "/highly/sensitive/data.php";
}
?>
edited 2 hours ago
JohnDoea
442 gold badges6 silver badges20 bronze badges
answered 3 hours ago
LTPCGOLTPCGO
488 bronze badges
New contributor
LTPCGO is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "162"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f216421%2fwhy-do-many-programmers-abstain-from-using-global-variables%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
Boycott Globals!
I'm stealing from @Steffen Ullrich's comment, but the main issue with global variables is that they make it difficult to keep code well organized and maintainable. His link is a fine one, but you won't have any trouble finding countless articles about the problems with global variables online.
When you use global variables, it becomes easy to lose track of where in your program the variable gets modified, especially if you don't have a simple linear flow. As a result global variables can work perfectly fine in small scripts, but can cause massive headaches as an application begins to scale. This might leave you with the impression that it is fine in very small applications, but since applications usually only grow over time, and things that start of temporary become permanent, it's really just a bad idea to use them at all. Why start on the wrong foot, when it is so easy to use properly scoped variables?
Security
Using global variables doesn't have any direct implications for security, but they do make it easier to end up with security issues:
If one loses track of where its data comes from and modifies a function in file A but forgets that the utilized variable comes from user input in file B, it might end up doing insecure things on user input without proper safe guards.
Technically this is possible in any application, but global variables can certainly make it easier.
Global Variables == Death
I don't know of any breaches that happened specifically because of global variables, but it's easy to argue that the use of global variables has literally killed people, so I think it's reasonable to just never use them.
edited 4 hours ago
JohnDoea
442 gold badges6 silver badges20 bronze badges
answered 7 hours ago
Conor ManconeConor Mancone
14.4k6 gold badges43 silver badges60 bronze badges
Hello from the OP; thank you - please review my edit; thanks,
– JohnDoea
5 hours ago
Also, I believe the security chapter I edited needs a more specific example.
– JohnDoea
5 hours ago
If one loses track of where its data comes from and modifies a function in file A but forgets that the utilized variable comes from user input in file B, it might end up doing insecure things on user input without proper safe guards.Please share an example...
– JohnDoea
5 hours ago
Yet again, one more subtle edit suggested; I appreciate your time so far; please have a look on this one too.
– JohnDoea
4 hours ago
the use of global variables has literally killed people, so I think it's reasonable to just never use them.By that logic, we should never use cars.
– Ray
12 mins ago
add a comment |
Boycott Globals!
I'm stealing from @Steffen Ullrich's comment, but the main issue with global variables is that they make it difficult to keep code well organized and maintainable. His link is a fine one, but you won't have any trouble finding countless articles about the problems with global variables online.
When you use global variables, it becomes easy to lose track of where in your program the variable gets modified, especially if you don't have a simple linear flow. As a result global variables can work perfectly fine in small scripts, but can cause massive headaches as an application begins to scale. This might leave you with the impression that it is fine in very small applications, but since applications usually only grow over time, and things that start of temporary become permanent, it's really just a bad idea to use them at all. Why start on the wrong foot, when it is so easy to use properly scoped variables?
Security
Using global variables doesn't have any direct implications for security, but they do make it easier to end up with security issues:
If one loses track of where its data comes from and modifies a function in file A but forgets that the utilized variable comes from user input in file B, it might end up doing insecure things on user input without proper safe guards.
Technically this is possible in any application, but global variables can certainly make it easier.
Global Variables == Death
I don't know of any breaches that happened specifically because of global variables, but it's easy to argue that the use of global variables has literally killed people, so I think it's reasonable to just never use them.
edited 4 hours ago
JohnDoea
442 gold badges6 silver badges20 bronze badges
answered 7 hours ago
Conor ManconeConor Mancone
14.4k6 gold badges43 silver badges60 bronze badges
Hello from the OP; thank you - please review my edit; thanks,
– JohnDoea
5 hours ago
Also, I believe the security chapter I edited needs a more specific example.
– JohnDoea
5 hours ago
If one loses track of where its data comes from and modifies a function in file A but forgets that the utilized variable comes from user input in file B, it might end up doing insecure things on user input without proper safe guards.Please share an example...
– JohnDoea
5 hours ago
Yet again, one more subtle edit suggested; I appreciate your time so far; please have a look on this one too.
– JohnDoea
4 hours ago
the use of global variables has literally killed people, so I think it's reasonable to just never use them.By that logic, we should never use cars.
– Ray
12 mins ago
add a comment |
Boycott Globals!
I'm stealing from @Steffen Ullrich's comment, but the main issue with global variables is that they make it difficult to keep code well organized and maintainable. His link is a fine one, but you won't have any trouble finding countless articles about the problems with global variables online.
When you use global variables, it becomes easy to lose track of where in your program the variable gets modified, especially if you don't have a simple linear flow. As a result global variables can work perfectly fine in small scripts, but can cause massive headaches as an application begins to scale. This might leave you with the impression that it is fine in very small applications, but since applications usually only grow over time, and things that start of temporary become permanent, it's really just a bad idea to use them at all. Why start on the wrong foot, when it is so easy to use properly scoped variables?
Security
Using global variables doesn't have any direct implications for security, but they do make it easier to end up with security issues:
If one loses track of where its data comes from and modifies a function in file A but forgets that the utilized variable comes from user input in file B, it might end up doing insecure things on user input without proper safe guards.
Technically this is possible in any application, but global variables can certainly make it easier.
Global Variables == Death
I don't know of any breaches that happened specifically because of global variables, but it's easy to argue that the use of global variables has literally killed people, so I think it's reasonable to just never use them.
edited 4 hours ago
JohnDoea
442 gold badges6 silver badges20 bronze badges
answered 7 hours ago
Conor ManconeConor Mancone
14.4k6 gold badges43 silver badges60 bronze badges
Boycott Globals!
I'm stealing from @Steffen Ullrich's comment, but the main issue with global variables is that they make it difficult to keep code well organized and maintainable. His link is a fine one, but you won't have any trouble finding countless articles about the problems with global variables online.
When you use global variables, it becomes easy to lose track of where in your program the variable gets modified, especially if you don't have a simple linear flow. As a result global variables can work perfectly fine in small scripts, but can cause massive headaches as an application begins to scale. This might leave you with the impression that it is fine in very small applications, but since applications usually only grow over time, and things that start of temporary become permanent, it's really just a bad idea to use them at all. Why start on the wrong foot, when it is so easy to use properly scoped variables?
Security
Using global variables doesn't have any direct implications for security, but they do make it easier to end up with security issues:
If one loses track of where its data comes from and modifies a function in file A but forgets that the utilized variable comes from user input in file B, it might end up doing insecure things on user input without proper safe guards.
Technically this is possible in any application, but global variables can certainly make it easier.
Global Variables == Death
I don't know of any breaches that happened specifically because of global variables, but it's easy to argue that the use of global variables has literally killed people, so I think it's reasonable to just never use them.
edited 4 hours ago
JohnDoea
442 gold badges6 silver badges20 bronze badges
answered 7 hours ago
Conor ManconeConor Mancone
14.4k6 gold badges43 silver badges60 bronze badges
edited 4 hours ago
JohnDoea
442 gold badges6 silver badges20 bronze badges
edited 4 hours ago
JohnDoea
442 gold badges6 silver badges20 bronze badges
edited 4 hours ago
JohnDoea
442 gold badges6 silver badges20 bronze badges
442 gold badges6 silver badges20 bronze badges
answered 7 hours ago
Conor ManconeConor Mancone
14.4k6 gold badges43 silver badges60 bronze badges
answered 7 hours ago
Conor ManconeConor Mancone
14.4k6 gold badges43 silver badges60 bronze badges
answered 7 hours ago
Conor ManconeConor Mancone
14.4k6 gold badges43 silver badges60 bronze badges
14.4k6 gold badges43 silver badges60 bronze badges
Hello from the OP; thank you - please review my edit; thanks,
– JohnDoea
5 hours ago
Also, I believe the security chapter I edited needs a more specific example.
– JohnDoea
5 hours ago
If one loses track of where its data comes from and modifies a function in file A but forgets that the utilized variable comes from user input in file B, it might end up doing insecure things on user input without proper safe guards.Please share an example...
– JohnDoea
5 hours ago
Yet again, one more subtle edit suggested; I appreciate your time so far; please have a look on this one too.
– JohnDoea
4 hours ago
the use of global variables has literally killed people, so I think it's reasonable to just never use them.By that logic, we should never use cars.
– Ray
12 mins ago
add a comment |
Hello from the OP; thank you - please review my edit; thanks,
– JohnDoea
5 hours ago
Also, I believe the security chapter I edited needs a more specific example.
– JohnDoea
5 hours ago
If one loses track of where its data comes from and modifies a function in file A but forgets that the utilized variable comes from user input in file B, it might end up doing insecure things on user input without proper safe guards.Please share an example...
– JohnDoea
5 hours ago
Yet again, one more subtle edit suggested; I appreciate your time so far; please have a look on this one too.
– JohnDoea
4 hours ago
the use of global variables has literally killed people, so I think it's reasonable to just never use them.By that logic, we should never use cars.
– Ray
12 mins ago
Hello from the OP; thank you - please review my edit; thanks,
– JohnDoea
5 hours ago
Hello from the OP; thank you - please review my edit; thanks,
– JohnDoea
5 hours ago
Also, I believe the security chapter I edited needs a more specific example.
– JohnDoea
5 hours ago
Also, I believe the security chapter I edited needs a more specific example.
– JohnDoea
5 hours ago
If one loses track of where its data comes from and modifies a function in file A but forgets that the utilized variable comes from user input in file B, it might end up doing insecure things on user input without proper safe guards. Please share an example...– JohnDoea
5 hours ago
If one loses track of where its data comes from and modifies a function in file A but forgets that the utilized variable comes from user input in file B, it might end up doing insecure things on user input without proper safe guards. Please share an example...– JohnDoea
5 hours ago
Yet again, one more subtle edit suggested; I appreciate your time so far; please have a look on this one too.
– JohnDoea
4 hours ago
Yet again, one more subtle edit suggested; I appreciate your time so far; please have a look on this one too.
– JohnDoea
4 hours ago
the use of global variables has literally killed people, so I think it's reasonable to just never use them. By that logic, we should never use cars.– Ray
12 mins ago
the use of global variables has literally killed people, so I think it's reasonable to just never use them. By that logic, we should never use cars.– Ray
12 mins ago
add a comment |
Please compare the following pieces of code:
1)
/file.php:
$newconn = new PDO('mysql:host=localhost;charset=utf8mb4;','username','password');
2)
../secrets.php:
$mysqlusername = 'username';
$mysqlpassword = 'password';
/file.php:
require_once('../secrets.php');
$newconn = new PDO('mysql:host=localhost;charset=utf8mb4;',$mysqlusername,$mysqlpassword);
3
../secrets.php:
function pdoconn(i) {
$mysqlusername = ['username1','username2'];
$mysqlpassword = ['password1','password2'];
$conn = new PDO('mysql:host=localhost;charset=utf8mb4;',$mysqlusername[i],$mysqlpassword[i]);
return $conn;
}
/file.php:
require_once('../secrets.php');
$newconn = pdoconn(0);
Example 1 is out of the question - incorrect configuration on production servers could end up showing sensitive parameters to unintended parties.
Example 2 is better, but those variables are available throughout the application, and modifiable, which could result in errors.
Example 3 keeps things very organised and transferable.
It can be modified to use globals if ../secrets.php instead was:
../secrets.php:
$mysqlusername = 'username';
$mysqlpassword = 'password';
function pdoconn() {
$conn = new
PDO('mysql:host=localhost;charset=utf8mb4;',$GLOBALS['mysqlusername'],$GLOBALS['mysqlpassword']);
return $conn;
}
And I think that demonstrates why a global doesn't make sense most of the time in quite a succinct way.
Summary:
As for security breaches using global variables (and why I wrote these examples in PHP), there was quite a (at the time) controversial change in PHP 4.2.0 where register_globals was turned on to off. I can't find any articles now, as this change was made in 2002, but I do seem to remember it being responsible for a few breaches at the time. Copying directly from the manual, there is a very clear example of vulnerable code:
<?php
// define $authorized = true only if user is authenticated
if (authenticated_user()) {
$authorized = true;
}
// Because we didn't first initialize $authorized as false, this might be
// defined through register_globals, like from GET auth.php?authorized=1
// So, anyone can be seen as authenticated!
if ($authorized) {
include "/highly/sensitive/data.php";
}
?>
edited 2 hours ago
JohnDoea
442 gold badges6 silver badges20 bronze badges
answered 3 hours ago
LTPCGOLTPCGO
488 bronze badges
New contributor
LTPCGO is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
Please compare the following pieces of code:
1)
/file.php:
$newconn = new PDO('mysql:host=localhost;charset=utf8mb4;','username','password');
2)
../secrets.php:
$mysqlusername = 'username';
$mysqlpassword = 'password';
/file.php:
require_once('../secrets.php');
$newconn = new PDO('mysql:host=localhost;charset=utf8mb4;',$mysqlusername,$mysqlpassword);
3
../secrets.php:
function pdoconn(i) {
$mysqlusername = ['username1','username2'];
$mysqlpassword = ['password1','password2'];
$conn = new PDO('mysql:host=localhost;charset=utf8mb4;',$mysqlusername[i],$mysqlpassword[i]);
return $conn;
}
/file.php:
require_once('../secrets.php');
$newconn = pdoconn(0);
Example 1 is out of the question - incorrect configuration on production servers could end up showing sensitive parameters to unintended parties.
Example 2 is better, but those variables are available throughout the application, and modifiable, which could result in errors.
Example 3 keeps things very organised and transferable.
It can be modified to use globals if ../secrets.php instead was:
../secrets.php:
$mysqlusername = 'username';
$mysqlpassword = 'password';
function pdoconn() {
$conn = new
PDO('mysql:host=localhost;charset=utf8mb4;',$GLOBALS['mysqlusername'],$GLOBALS['mysqlpassword']);
return $conn;
}
And I think that demonstrates why a global doesn't make sense most of the time in quite a succinct way.
Summary:
As for security breaches using global variables (and why I wrote these examples in PHP), there was quite a (at the time) controversial change in PHP 4.2.0 where register_globals was turned on to off. I can't find any articles now, as this change was made in 2002, but I do seem to remember it being responsible for a few breaches at the time. Copying directly from the manual, there is a very clear example of vulnerable code:
<?php
// define $authorized = true only if user is authenticated
if (authenticated_user()) {
$authorized = true;
}
// Because we didn't first initialize $authorized as false, this might be
// defined through register_globals, like from GET auth.php?authorized=1
// So, anyone can be seen as authenticated!
if ($authorized) {
include "/highly/sensitive/data.php";
}
?>
edited 2 hours ago
JohnDoea
442 gold badges6 silver badges20 bronze badges
answered 3 hours ago
LTPCGOLTPCGO
488 bronze badges
New contributor
LTPCGO is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
Please compare the following pieces of code:
1)
/file.php:
$newconn = new PDO('mysql:host=localhost;charset=utf8mb4;','username','password');
2)
../secrets.php:
$mysqlusername = 'username';
$mysqlpassword = 'password';
/file.php:
require_once('../secrets.php');
$newconn = new PDO('mysql:host=localhost;charset=utf8mb4;',$mysqlusername,$mysqlpassword);
3
../secrets.php:
function pdoconn(i) {
$mysqlusername = ['username1','username2'];
$mysqlpassword = ['password1','password2'];
$conn = new PDO('mysql:host=localhost;charset=utf8mb4;',$mysqlusername[i],$mysqlpassword[i]);
return $conn;
}
/file.php:
require_once('../secrets.php');
$newconn = pdoconn(0);
Example 1 is out of the question - incorrect configuration on production servers could end up showing sensitive parameters to unintended parties.
Example 2 is better, but those variables are available throughout the application, and modifiable, which could result in errors.
Example 3 keeps things very organised and transferable.
It can be modified to use globals if ../secrets.php instead was:
../secrets.php:
$mysqlusername = 'username';
$mysqlpassword = 'password';
function pdoconn() {
$conn = new
PDO('mysql:host=localhost;charset=utf8mb4;',$GLOBALS['mysqlusername'],$GLOBALS['mysqlpassword']);
return $conn;
}
And I think that demonstrates why a global doesn't make sense most of the time in quite a succinct way.
Summary:
As for security breaches using global variables (and why I wrote these examples in PHP), there was quite a (at the time) controversial change in PHP 4.2.0 where register_globals was turned on to off. I can't find any articles now, as this change was made in 2002, but I do seem to remember it being responsible for a few breaches at the time. Copying directly from the manual, there is a very clear example of vulnerable code:
<?php
// define $authorized = true only if user is authenticated
if (authenticated_user()) {
$authorized = true;
}
// Because we didn't first initialize $authorized as false, this might be
// defined through register_globals, like from GET auth.php?authorized=1
// So, anyone can be seen as authenticated!
if ($authorized) {
include "/highly/sensitive/data.php";
}
?>
edited 2 hours ago
JohnDoea
442 gold badges6 silver badges20 bronze badges
answered 3 hours ago
LTPCGOLTPCGO
488 bronze badges
New contributor
LTPCGO is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Please compare the following pieces of code:
1)
/file.php:
$newconn = new PDO('mysql:host=localhost;charset=utf8mb4;','username','password');
2)
../secrets.php:
$mysqlusername = 'username';
$mysqlpassword = 'password';
/file.php:
require_once('../secrets.php');
$newconn = new PDO('mysql:host=localhost;charset=utf8mb4;',$mysqlusername,$mysqlpassword);
3
../secrets.php:
function pdoconn(i) {
$mysqlusername = ['username1','username2'];
$mysqlpassword = ['password1','password2'];
$conn = new PDO('mysql:host=localhost;charset=utf8mb4;',$mysqlusername[i],$mysqlpassword[i]);
return $conn;
}
/file.php:
require_once('../secrets.php');
$newconn = pdoconn(0);
Example 1 is out of the question - incorrect configuration on production servers could end up showing sensitive parameters to unintended parties.
Example 2 is better, but those variables are available throughout the application, and modifiable, which could result in errors.
Example 3 keeps things very organised and transferable.
It can be modified to use globals if ../secrets.php instead was:
../secrets.php:
$mysqlusername = 'username';
$mysqlpassword = 'password';
function pdoconn() {
$conn = new
PDO('mysql:host=localhost;charset=utf8mb4;',$GLOBALS['mysqlusername'],$GLOBALS['mysqlpassword']);
return $conn;
}
And I think that demonstrates why a global doesn't make sense most of the time in quite a succinct way.
Summary:
As for security breaches using global variables (and why I wrote these examples in PHP), there was quite a (at the time) controversial change in PHP 4.2.0 where register_globals was turned on to off. I can't find any articles now, as this change was made in 2002, but I do seem to remember it being responsible for a few breaches at the time. Copying directly from the manual, there is a very clear example of vulnerable code:
<?php
// define $authorized = true only if user is authenticated
if (authenticated_user()) {
$authorized = true;
}
// Because we didn't first initialize $authorized as false, this might be
// defined through register_globals, like from GET auth.php?authorized=1
// So, anyone can be seen as authenticated!
if ($authorized) {
include "/highly/sensitive/data.php";
}
?>
edited 2 hours ago
JohnDoea
442 gold badges6 silver badges20 bronze badges
answered 3 hours ago
LTPCGOLTPCGO
488 bronze badges
New contributor
LTPCGO is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited 2 hours ago
JohnDoea
442 gold badges6 silver badges20 bronze badges
edited 2 hours ago
JohnDoea
442 gold badges6 silver badges20 bronze badges
edited 2 hours ago
JohnDoea
442 gold badges6 silver badges20 bronze badges
442 gold badges6 silver badges20 bronze badges
answered 3 hours ago
LTPCGOLTPCGO
488 bronze badges
New contributor
LTPCGO is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered 3 hours ago
LTPCGOLTPCGO
488 bronze badges
answered 3 hours ago
LTPCGOLTPCGO
488 bronze badges
488 bronze badges
New contributor
LTPCGO is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
LTPCGO is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
add a comment |
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f216421%2fwhy-do-many-programmers-abstain-from-using-global-variables%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
5
"Why many programmers abstain from using global variables?" - because it is much easier to understand and verify small code snippets which have no side effects. When using global variables you always have to be aware which part of the code might change it in what way and what the effect will be - which is really hard with a larger code base and more than trivial global variables without obvious behavior (i.e. some global debug variable might be fine). See also Global Variables Are Bad.
– Steffen Ullrich
8 hours ago
Also threading issues otherwise concurrency issues ensue
– goodguys_activate
7 hours ago
Global variables are more common than you think. Java static fields are effectively globals and widely used. They are fine for constants, or things just assigned during initialization. The problems come with mutable globals.
– paj28
6 hours ago
A more general idea of why developers hate global variables is because they can cause "action at a distance" en.wikipedia.org/wiki/…
– Steve Sether
45 mins ago