Page 4 of 4

Posted: Tue Aug 02, 2005 3:23 pm
by nielsene
does your code have

Code: Select all

if (ini_get("register_globals")==1) {
  die('This script refuses to run with register_globals on");
}
at the top? If not then while you might secure now, if you or someone else installs it somewhere else you could be in danger.

I'm NOT saying that register globals is the only vulnerability, but it is the easiest. While you may have control over your php.ini, remember that a lot of people don't and a lot of hosts still have it on.

And to me this is extra, un-needed code if you properly initialized your variables. Therefore undefined variables are not "as easy to secure" as properly initialized ones. QED.

Posted: Tue Aug 02, 2005 3:27 pm
by nielsene
I apologize for doubting your integrity about putting up a real script.

Posted: Tue Aug 02, 2005 3:37 pm
by infolock
niel, thanks. I do appreciate that. BUt let me explain, i'm not using global variables. I never said I would.

I simply check to see if $bob is defined. If $bob is not defined, I post that it isn't on the page. That's why there is 15 lines saying that. Sorry, I must not have been clear about that.

But no, i'm not even using $_POST data, or $_GET data. I'm simply using an undefined variable. Therefore, $bob is being called before it is defined.


Roja : if you want to believe what you've read, go ahead. That's your choice. I do not ask you to use methods I use. I do not expect you to chnage your methods. All I"m trying to do is prove that if you do use an undefined variable, it is not necessarily a security risk. So long as you valididate the variable once it is defined.

That's it. Nothing more. But to say it's unsecure is like saying passwords are unsecure. Passwords CAN be unsecure if you do not store th em with encryption, or if you do not valididate that they are correct. The same thing goes here. That's all i'm trying to say.

Posted: Tue Aug 02, 2005 3:46 pm
by JAM
I'm amazed that a post about a warning message can generate such amount of discussions on this board.
A thread that once originated from something that dealt with ASP...

I have on this subject never seen a manual á la PHP style for ASP, something that I personally would like to have aswell. I have been using some PDF's and an old CHM help file that I found 'somewhere' for 'some software' that I dont remember...

Posted: Tue Aug 02, 2005 8:50 pm
by nielsene
infolock wrote:niel, thanks. I do appreciate that. BUt let me explain, i'm not using global variables. I never said I would.

I simply check to see if $bob is defined. If $bob is not defined, I post that it isn't on the page. That's why there is 15 lines saying that. Sorry, I must not have been clear about that.

But no, i'm not even using $_POST data, or $_GET data. I'm simply using an undefined variable. Therefore, $bob is being called before it is defined.


Roja : if you want to believe what you've read, go ahead. That's your choice. I do not ask you to use methods I use. I do not expect you to chnage your methods. All I"m trying to do is prove that if you do use an undefined variable, it is not necessarily a security risk. So long as you valididate the variable once it is defined.

That's it. Nothing more. But to say it's unsecure is like saying passwords are unsecure. Passwords CAN be unsecure if you do not store th em with encryption, or if you do not valididate that they are correct. The same thing goes here. That's all i'm trying to say.
Deciding that undefined variables are "safe" because you can construct a script where tehy are, does not prove that they are safe in general. Yes, give your script, they are not opening you up to any security holes. However, that doesn't mean its safe to ignore those messages. Especially as it means you might ignore the message when it does matter.

Furthermore it trains you to write code that is not securely portable. If someone takes one of your scripts to a host where register_globals is on, their application is toast.

It is never good to get into a habit of ignoring warnings or notices. They exist for a reason.

If you ever had code like

Code: Select all

If ($someDefinedVariable=="something") {
  $someOtherVariable=TRUE;
}
// loads of other code
if (!$someOtherVariable) {
  // do something
}
Then you have at least a logic error, if not a security error. The NOTICES here will alert you to the error; hiding them or ignoring them will not.

Posted: Tue Aug 02, 2005 10:07 pm
by Roja
nielsene wrote: Deciding that undefined variables are "safe" because you can construct a script where tehy are, does not prove that they are safe in general.
A better way to state the same thing is:

Just because there are alternative methods to reducing the risks of using undefined variables doesn't mean there is NO risk to using undefined variables.

Undefined variables are a risk. They aren't secure. There are multiple ways of reducing that risk, and the easiest and most secure is to define them before use. Infolock offers that you can also prevent reg_globals, do full validation, avoid using user input, and so forth.

Each of those solutions have their own risks and dangers, which is why defining the variable before use is a best practice - it removes the guesswork.

Posted: Wed Aug 03, 2005 9:29 am
by infolock
now that is more like it! most definately guys! Whooooo, that is the comments I was wanting to hear :) This (as I've stated) is not the best practice. It's not the most secure. The best practice is to at least define your variable with a blank value before trying to authenticate it's value. But, given some checks and filters, it is a method you can use (even if it's not the best one).

So, I agree. It should not be a method to use. However, if you find you need to use it, i can be done. Thanks for the debate guys. This was actally pretty fun :)

Posted: Wed Aug 03, 2005 10:04 am
by Skittlewidth
JAM wrote:I'm amazed that a post about a warning message can generate such amount of discussions on this board.
A thread that once originated from something that dealt with ASP...

I have on this subject never seen a manual á la PHP style for ASP, something that I personally would like to have aswell. I have been using some PDF's and an old CHM help file that I found 'somewhere' for 'some software' that I dont remember...
Yes, I slowly backed out of this thread once it became clear I wasn't going to get any relevant info! Quite amusing though, I've never caused such a riot before, I'm just peace-loving Skittlewidth! :D