Page 1 of 1
$_SESSION variables
Posted: Sat Jan 22, 2005 11:28 pm
by Stryks
I read somewhere around here how a variable is set if appended to a URL (eg. page.php?variable=set) and how this poses a threat if the variable is called.
I am simply wondering if it is possible to set a $_SESSION variable in this way, or if it refers only to stadard vars (eg. $myVar).
Posted: Sat Jan 22, 2005 11:35 pm
by feyd
register globals refers to all $_* vars getting parsed into $key=>$value pairs at page start.
with register globals on this is real bad:
Code: Select all
<?php
for($i = 0; $i < 5; $i++)
$foo .= '@';
echo $foo;
?>
calling that script with
will output:
not too bad here..
you can take precautions to make sure register_globals doesn't affect your script much.. like ALWAYS initializing variables. All $_* variables should be scrutanized and sanitized, because all of them come from outside your controll area.
but to answer your question about sessions... not directly.
Posted: Sun Jan 23, 2005 7:02 am
by Stryks
Feyd, thanks for the info, though I'm still a little confused. (I'm doing alot of this today for some reason)
Are you saying that if I initialize the variable then its protected. Actually, this is because variables are initialized to '' right, so any malicious content is lost.
That is Ok, I think I get that .. but what about specifically the $session variable. Just that you say to beware of all $_* variables, but then say they cannot directly affect the $_SESSION ones. At least thats what I think you are saying.
Its just that I have designed my site around the idea that the $_SESSION group were my safe area, so to speak, and as such I have got all of their basic info in there so it travels with them through the site. As an example, I do an IP retrieval (as you helped with earlier - thanks) and unless the IP changes or the session expires, they are still given an auth value to determine what areas they can access.
Keeping in mind that I didnt want to allow users to set themself a level, the auth level is set at login directly from the database, so it cant really be forced by any register_globals issue as far as I can tell.
So, would someone be able to set the $_SESSION value which contains their auth level in the way described? Perhaps the act of calling session_start() would re-initialize the $_SESSION tree anyhow?
Any thoughts? Thanks.
Posted: Sun Jan 23, 2005 7:45 am
by feyd
as far as I know, calling session_start() will wipe any register global related problem, but I don't thing a register global'd in variable is allowed to overwrite a superglobal.. although I hate not tested that.