5 replies to this topic

[Av-]

rc69, on Jan 1 2006, 06:55 AM, said:

Also, either i'm missing something, or you have register_globals on your server turned on, which is a bad thing.

I never really firgured out why that is a bad thing, they had it turned on for default in previous php versions. I have it on, on my server and i like it that way.

so yeah, im not hijacking this topic or w/e, just asking a short questing

[venomsnake]

i would like to know that too.

and does anyone know how to fix my new problem?

[rc69]

Avalanche, a quick search of php.net would've returned this: http://php.net/register_globals

[softLearner]

Having register_globals on can lead to securitty issues as you cannot know where the variables are comming from, so take the following for example:

You have a login system protecting a page and a form for the user to fill in to access that page:

<?php

if(isset($user) && isset($pass))
{
	//do login process here, for now we'll echo out the use submits
	echo $user . ' - ' . $pass
}

?>
<form action="<?php echo $PHP_SELF; ?>" method="post">
Username: <input type="text" name="user"><br>
Password: <input type="text" name="pass"><br>
<input type="submit" value="Login">
</form>

, I have a form that submits to itself and the script then checks the username and password submitted is set, but I would not need to fill in that form in order to get logged! I would just need to type login details via the url as parameters, like so:
http://mysite.com/specialpage.php?user=som...ss=somePassword
That will bypass the form and php will have setup a variable $user and $pass, the same when submitting the form!

Just think how unsecure this is and your site can be attaked in lots of different ways! You cannot predict where your variables are comming from. So now you may be asking how does register_globals turned off stop this?

Well you use a special set of variables, called superglobals. These are $_GET, $_POST, $_REQUEST, $_SERVER, $_SESSION, $_COOKIE and few others. Now you can tell where your variables are comming from, or be set form.

So if our above code is now changed to the following:

<?php

if(isset($_POST['user']) && isset($_POST['pass']))
{
	//do login process here
	echo $_POST['user'] . ' - ' . $_POST['pass'];
}

?>
<form action="<?php echo $PHP_SELF; ?>" method="post">
<input type="text" name="user"><br>
<input type="text" name="pass"><br>
<input type="submit" value="Login">
</form>

Your form should work when you submit your data using the form only!. Now if you tried the old trick of passing the variables over the url again, like so:
http://mysite.com/specialpage.php?user=som...ss=somePassword
Then nothing should get shown, appart from the form. It will only show what you have submitted if you change $_POST to $_GET

As you can see our code is more secure form hackers and we can now validate our uses input as we now know where our variables are comming from.

Also I would recommend you to code with register_globals off as php6 will not have register_globals available and will be off perminantly and you cannot chnage this, along with other php settings/functions too.

Hope that helps.

[eldiablo]

Say we also have the scenario of:

<?php

if($loggedIn = 1)
{
// some code that makes some user-only features appear
}

?>

You could then access the resticted section by using the url:
file.php?loggedIn=1

Of course without register globals:

<?php

if(isset($_SESSION['loggedIn']))
{
$loggedIn = 1;
}

?>

Having register globals turned off protects your code. I wasn't aware that this was still an issue. I think it came about to me about 3 years ago when it broke my website. lol. Since then, I was sure every php release came with a php.ini that disabled them by default.

Edited by eldiablo, 06 January 2006 - 03:38 PM.

[rc69]

Original question has been answered we are re-solving this thread, if you have any further questions please start a new topic.