Register_global
Moderator: General Moderators
Register_global
Can anybody explain to me what is the advantage/disadvantage to make the register_global on/off? Thanx for any response.
read this
http://www.sitepoint.com/article/write- ... ts-php-4-2
Why you should have register_globals off
Mark
http://www.sitepoint.com/article/write- ... ts-php-4-2
Why you should have register_globals off
Mark
bech100;
I read the link that you sent;
in his first example he:
1) uses the variable $authorized
2) assignes it true or !true;
point about:
1) no one would know that he is using "a u t h o r i z e d" as his variable; before someone could trick his script they would need to know that the toggle wrapper is "a u t h o r i z e d";
2) couldn't he have been more evasive with the flag value if he had used "higjyyjwcjkwjywc" instead of true;
BIG QUESTION could anyone find out that he used "a u t h o r i z e d" for the wrapper and true for the flag value?
thanks
Shannon
I read the link that you sent;
in his first example he:
1) uses the variable $authorized
2) assignes it true or !true;
point about:
1) no one would know that he is using "a u t h o r i z e d" as his variable; before someone could trick his script they would need to know that the toggle wrapper is "a u t h o r i z e d";
2) couldn't he have been more evasive with the flag value if he had used "higjyyjwcjkwjywc" instead of true;
BIG QUESTION could anyone find out that he used "a u t h o r i z e d" for the wrapper and true for the flag value?
thanks
Shannon
Its not really the point tho. It is just highlighting how register_globals on is a security flawdsdsdsdsd wrote:bech100;
I read the link that you sent;
in his first example he:
1) uses the variable $authorized
2) assignes it true or !true;
point about:
1) no one would know that he is using "a u t h o r i z e d" as his variable; before someone could trick his script they would need to know that the toggle wrapper is "a u t h o r i z e d";
2) couldn't he have been more evasive with the flag value if he had used "higjyyjwcjkwjywc" instead of true;
BIG QUESTION could anyone find out that he used "a u t h o r i z e d" for the wrapper and true for the flag value?
thanks
Shannon
Mark
You are arguing obscurity - if someone doesnt know, they cant get in. Its a fatal flaw in security to rely on obscurity.dsdsdsdsd wrote:bech100;
I read the link that you sent;
in his first example he:
1) uses the variable $authorized
2) assignes it true or !true;
point about:
1) no one would know that he is using "a u t h o r i z e d" as his variable; before someone could trick his script they would need to know that the toggle wrapper is "a u t h o r i z e d";
2) couldn't he have been more evasive with the flag value if he had used "higjyyjwcjkwjywc" instead of true;
BIG QUESTION could anyone find out that he used "a u t h o r i z e d" for the wrapper and true for the flag value?
thanks
Shannon
Why?
Your question nails the answer - could anyone find out what he used for the wrapper and the flag value?
If there wasnt logging of repeated attempts, you can brute force it.. and beleive me, its VERY easy to get a few hundred thousand attempts an hour across most broadband connections (arguably a server would have AT LEAST that much connectivity).
In 2-3 days time, say over a holiday weekend, when no one is worried about their server? Boom. Now the attacker knows,and he is in.
But like Bech said.. its not about the relative security of obscure choices - it is about the fundamental security improvement that prevents the NEED for obscurity. Register_globals being on is a major security flaw.
The specific danger with reg globs on is that a hacker can assign a value to undefined vars in the global scope. Anything not in the global scope is safe. Anything which you assign a value to in the global scope is safe.
So, if you have to write scripts which will run in a reg globs on environment, always develop with E_ALL error reporting to catch any undefined vars (it's best to develop with E_ALL anyway - but turn error reporting down on a live site). If you don't have any undefined vars, reg globs on doesn't present a security risk.
Of course it's always better to switch it off if you can.
And user input always has to be validated.
So, if you have to write scripts which will run in a reg globs on environment, always develop with E_ALL error reporting to catch any undefined vars (it's best to develop with E_ALL anyway - but turn error reporting down on a live site). If you don't have any undefined vars, reg globs on doesn't present a security risk.
Of course it's always better to switch it off if you can.
And user input always has to be validated.