SleepyP wrote:this is weird, i could've sworn that this info wasn't available before....
what about Register Globals, what does that do?
Reg globs on can do terrible things - or nothing at all.
Superglobal arrays $_GET, $_POST, $_COOKIE, and $_SESSION receive their member vars from the obvious sources.
With register globals on, any element of these arrays is automatically declared as a var in the global scope. For example, $_POST['name'] would be declared in the global scope as $name.
With register globals off, this doesn't happen. The vars remain "locked up" in their respective arrays.
Reg globs on allows a hacker to declare vars with any name and any value in the global scope. All you have to do is tamper with the query string or forge a form submission or cookie. That isn't necessarily an open door into your scripts - but at the same time it isn't something to ignore.
Suppose, with reg globs on, a hacker injected an $admin var into the global scope of your script. If the normal script doesn't ever refer to a var called $admin in this scope, it just sits there doing nothing. No problem.
Next, suppose you do declare an $admin var in the legitimate code (global scope). Again no problem (probably). Although reg globs has already declared the var with the hacked value, as soon as the parser gets to the line in your script where YOU declare the var, the hacked value is immediately overwritten.
The problem with reg globs on arises when you have undefined vars/indexes in your scripts in the global scope. Reg globs on allows a hacker to set their own values for these vars. Still, it depends on the var and how it is used just how serious a problem that could be: an undefined $row_background_color wouldn't lead to any loss of sleep, but $has_superuser_access might.
Code: Select all
if($has_superuser_access == true)
{
// download all the credit card numbers...
}
Thankfully, it's very easy to identify undefined vars/indexes: always develop on your local server with E_ALL error reporting. Fix them as soon as you find them.
In summary, turn reg globs off if you can - but if you can't it's not the end of the world. Just be VERY careful not to have any undefined vars/indexes in the global scope.
Incidentally, with object oriented programming, you tend not to have much in the global scope to begin with. One var and two lines of code might be all you need for all http requests to the site:
Code: Select all
<?php
$fc =& new FrontController;
$fc->execute();
?>