Register_global

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
S_henry
Forum Contributor
Posts: 148
Joined: Sun Jan 25, 2004 10:25 pm
Location: M'sia

Register_global

Post by S_henry »

Can anybody explain to me what is the advantage/disadvantage to make the register_global on/off? Thanx for any response.
User avatar
JayBird
Admin
Posts: 4524
Joined: Wed Aug 13, 2003 7:02 am
Location: York, UK
Contact:

Post by JayBird »

read this

http://www.sitepoint.com/article/write- ... ts-php-4-2

Why you should have register_globals off

Mark
S_henry
Forum Contributor
Posts: 148
Joined: Sun Jan 25, 2004 10:25 pm
Location: M'sia

Post by S_henry »

Ok. I'll find it out. Actually I just want to know more about system security. Thanx for reply.
dsdsdsdsd
Forum Commoner
Posts: 60
Joined: Fri Dec 05, 2003 3:10 pm

Post by dsdsdsdsd »

bech100;

I read the link that you sent;

in his first example he:
1) uses the variable $authorized
2) assignes it true or !true;

point about:
1) no one would know that he is using "a u t h o r i z e d" as his variable; before someone could trick his script they would need to know that the toggle wrapper is "a u t h o r i z e d";
2) couldn't he have been more evasive with the flag value if he had used "higjyyjwcjkwjywc" instead of true;

BIG QUESTION could anyone find out that he used "a u t h o r i z e d" for the wrapper and true for the flag value?

thanks
Shannon
User avatar
JayBird
Admin
Posts: 4524
Joined: Wed Aug 13, 2003 7:02 am
Location: York, UK
Contact:

Post by JayBird »

dsdsdsdsd wrote:bech100;

I read the link that you sent;

in his first example he:
1) uses the variable $authorized
2) assignes it true or !true;

point about:
1) no one would know that he is using "a u t h o r i z e d" as his variable; before someone could trick his script they would need to know that the toggle wrapper is "a u t h o r i z e d";
2) couldn't he have been more evasive with the flag value if he had used "higjyyjwcjkwjywc" instead of true;

BIG QUESTION could anyone find out that he used "a u t h o r i z e d" for the wrapper and true for the flag value?

thanks
Shannon
Its not really the point tho. It is just highlighting how register_globals on is a security flaw

Mark
Roja
Tutorials Group
Posts: 2692
Joined: Sun Jan 04, 2004 10:30 pm

Post by Roja »

dsdsdsdsd wrote:bech100;

I read the link that you sent;

in his first example he:
1) uses the variable $authorized
2) assignes it true or !true;

point about:
1) no one would know that he is using "a u t h o r i z e d" as his variable; before someone could trick his script they would need to know that the toggle wrapper is "a u t h o r i z e d";
2) couldn't he have been more evasive with the flag value if he had used "higjyyjwcjkwjywc" instead of true;

BIG QUESTION could anyone find out that he used "a u t h o r i z e d" for the wrapper and true for the flag value?

thanks
Shannon
You are arguing obscurity - if someone doesnt know, they cant get in. Its a fatal flaw in security to rely on obscurity.

Why?

Your question nails the answer - could anyone find out what he used for the wrapper and the flag value?

If there wasnt logging of repeated attempts, you can brute force it.. and beleive me, its VERY easy to get a few hundred thousand attempts an hour across most broadband connections (arguably a server would have AT LEAST that much connectivity).

In 2-3 days time, say over a holiday weekend, when no one is worried about their server? Boom. Now the attacker knows,and he is in.

But like Bech said.. its not about the relative security of obscure choices - it is about the fundamental security improvement that prevents the NEED for obscurity. Register_globals being on is a major security flaw.
dsdsdsdsd
Forum Commoner
Posts: 60
Joined: Fri Dec 05, 2003 3:10 pm

Post by dsdsdsdsd »

bech100, Roja;
nice answers;
thanks;
Shannon Burnett
McGruff
DevNet Master
Posts: 2893
Joined: Thu Jan 30, 2003 8:26 pm
Location: Glasgow, Scotland

Post by McGruff »

The specific danger with reg globs on is that a hacker can assign a value to undefined vars in the global scope. Anything not in the global scope is safe. Anything which you assign a value to in the global scope is safe.

So, if you have to write scripts which will run in a reg globs on environment, always develop with E_ALL error reporting to catch any undefined vars (it's best to develop with E_ALL anyway - but turn error reporting down on a live site). If you don't have any undefined vars, reg globs on doesn't present a security risk.

Of course it's always better to switch it off if you can.

And user input always has to be validated.
Post Reply