I read somewhere around here how a variable is set if appended to a URL (eg. page.php?variable=set) and how this poses a threat if the variable is called.
I am simply wondering if it is possible to set a $_SESSION variable in this way, or if it refers only to stadard vars (eg. $myVar).
$_SESSION variables
Moderator: General Moderators
- feyd
- Neighborhood Spidermoddy
- Posts: 31559
- Joined: Mon Mar 29, 2004 3:24 pm
- Location: Bothell, Washington, USA
register globals refers to all $_* vars getting parsed into $key=>$value pairs at page start.
with register globals on this is real bad:calling that script withwill output:not too bad here..
you can take precautions to make sure register_globals doesn't affect your script much.. like ALWAYS initializing variables. All $_* variables should be scrutanized and sanitized, because all of them come from outside your controll area.
but to answer your question about sessions... not directly.
with register globals on this is real bad:
Code: Select all
<?php
for($i = 0; $i < 5; $i++)
$foo .= '@';
echo $foo;
?>Code: Select all
bar.php?foo=weeeeeeeeCode: Select all
weeeeeeee@@@@@you can take precautions to make sure register_globals doesn't affect your script much.. like ALWAYS initializing variables. All $_* variables should be scrutanized and sanitized, because all of them come from outside your controll area.
but to answer your question about sessions... not directly.
Feyd, thanks for the info, though I'm still a little confused. (I'm doing alot of this today for some reason)
Are you saying that if I initialize the variable then its protected. Actually, this is because variables are initialized to '' right, so any malicious content is lost.
That is Ok, I think I get that .. but what about specifically the $session variable. Just that you say to beware of all $_* variables, but then say they cannot directly affect the $_SESSION ones. At least thats what I think you are saying.
Its just that I have designed my site around the idea that the $_SESSION group were my safe area, so to speak, and as such I have got all of their basic info in there so it travels with them through the site. As an example, I do an IP retrieval (as you helped with earlier - thanks) and unless the IP changes or the session expires, they are still given an auth value to determine what areas they can access.
Keeping in mind that I didnt want to allow users to set themself a level, the auth level is set at login directly from the database, so it cant really be forced by any register_globals issue as far as I can tell.
So, would someone be able to set the $_SESSION value which contains their auth level in the way described? Perhaps the act of calling session_start() would re-initialize the $_SESSION tree anyhow?
Any thoughts? Thanks.
Are you saying that if I initialize the variable then its protected. Actually, this is because variables are initialized to '' right, so any malicious content is lost.
That is Ok, I think I get that .. but what about specifically the $session variable. Just that you say to beware of all $_* variables, but then say they cannot directly affect the $_SESSION ones. At least thats what I think you are saying.
Its just that I have designed my site around the idea that the $_SESSION group were my safe area, so to speak, and as such I have got all of their basic info in there so it travels with them through the site. As an example, I do an IP retrieval (as you helped with earlier - thanks) and unless the IP changes or the session expires, they are still given an auth value to determine what areas they can access.
Keeping in mind that I didnt want to allow users to set themself a level, the auth level is set at login directly from the database, so it cant really be forced by any register_globals issue as far as I can tell.
So, would someone be able to set the $_SESSION value which contains their auth level in the way described? Perhaps the act of calling session_start() would re-initialize the $_SESSION tree anyhow?
Any thoughts? Thanks.