Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.
I'm simply asking why here, but quoting from this post on another forum, one guy told me what to do to get simple variables like $username to actually work.
maybe something else: PHP defaults to NOT register_globals, that means that you should use $_POST['username'] instead of $username
me wrote:That was it!
Changing the register_globals from Off to On in my php.ini fixed it, thank you!
well... I'd have to ADVISE against that... you SHOULD change your script... register_globals was defaulted to Off as a security measure; not as an annoy-php-script-writers feature
(but feel free to do whatever you see fit)
Then I simply asked why it was a security risk, and I haven't gotten a reply. Is this a risk in every situation, or just a risk if the server is running more than one site?
Last edited by Bigun on Fri Feb 16, 2007 1:34 pm, edited 1 time in total.
It allows people to initialize global variables as they see fit through the URL. This can cause MAJOR security issues if variables are not properly initialized in the script. If you choose to leave it on, you need to initialize all of your global variables before you use them and validate their values before using them.
DrTom wrote:It allows people to initialize global variables as they see fit through the URL. This can cause MAJOR security issues if variables are not properly initialized in the script. If you choose to leave it on, you need to initialize all of your global variables before you use them and validate their values before using them.
Ahh, I've already run my variables through the metaphorical "ringer" already, so... that answers my question.
DrTom wrote:It allows people to initialize global variables as they see fit through the URL. This can cause MAJOR security issues if variables are not properly initialized in the script. If you choose to leave it on, you need to initialize all of your global variables before you use them and validate their values before using them.
Ahh, I've already run my variables through the metaphorical "ringer" already, so... that answers my question.
What happens if you forget to sanitize a variable, or forget to initialize it's value during a late night coding session. It's much simpler to fix your code (register_globals is going to be REMOVED COMPLETELY starting from PHP 6), you would be much better off to start now.
It's also a matter of portability. If your next host refuses to turn register globals on, you code won't work.
Using register globals also opens you to CSRF attacks (get and post almagated as one), incomprehensible code (where the heck is this $variable coming from), and a polluted global namespace.