Security Flaws with register_globals

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
francisjeffy
Forum Newbie
Posts: 17
Joined: Fri Feb 29, 2008 12:10 pm

Security Flaws with register_globals

Post by francisjeffy »

Hey all

when register_globals is turned On and if the variable is not initialized, It can create a sever threat to sensitive information. wanna know how, read on..

register_globals

The two states of register_globals are 'on' or 'off' ie 'enabled' or 'disabled'.

By default the value of register_globals was 'On' (enabled), and from php version 4.2.0 the default value of register_globals was turned 'Off' (disabled).

When register_globals is 'On' it can inject the php script with all sort of variables from HTML forms.
And since php does not require variable initialization, writing insecure code is that much easier.


This example explains the concept

Code: Select all

<?php
 
# here register_globals is turned 'On'
 
if(authoRizedUser){
    $giveAccess = true;
}
 
if($giveAccess){
    $this -> accessSensitiveData();
}
 
# since the variable $giveAccess is not initialized as false, and since register_globals is turned 'On' 
# it can be defined through the register_global, and anyone can get Access.
 
# When register_globals is turned 'off', $giveAccess can't be set via request so it'll be fine, although it will be a good programming practice to initialize variables first.
 
?>
So when register_globals is turned On and if the variable is not initialized, It can create a sever threat to sensitive information.

And how do we turn on register_globals ?

You can turn it on for your individual web sites by entering the following into a .htaccess file:
php_flag register_globals on

The issues with register_globals will become history from php version 6.0.0. register_globals is removed from php6. So we got to worry about it only in versions prior to 6.0.0.

Hope you found it informative...

jeF..
nickvd
DevNet Resident
Posts: 1027
Joined: Thu Mar 10, 2005 5:27 pm
Location: Southern Ontario
Contact:

Re: Security Flaws with register_globals

Post by nickvd »

really? interesting... :wink:

Though how this relates to swift, I am not sure...
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Re: Security Flaws with register_globals

Post by Chris Corbyn »

:arrow: Moved to PHP Code
Post Reply