Page 1 of 1

php.ini security question (answered)

Posted: Fri Feb 16, 2007 12:28 pm
by Bigun
I'm simply asking why here, but quoting from this post on another forum, one guy told me what to do to get simple variables like $username to actually work.
maybe something else: PHP defaults to NOT register_globals, that means that you should use $_POST['username'] instead of $username
me wrote:That was it!

Changing the register_globals from Off to On in my php.ini fixed it, thank you!
well... I'd have to ADVISE against that... you SHOULD change your script... register_globals was defaulted to Off as a security measure; not as an annoy-php-script-writers feature
(but feel free to do whatever you see fit)
Then I simply asked why it was a security risk, and I haven't gotten a reply. Is this a risk in every situation, or just a risk if the server is running more than one site?

Posted: Fri Feb 16, 2007 12:54 pm
by DrTom
It allows people to initialize global variables as they see fit through the URL. This can cause MAJOR security issues if variables are not properly initialized in the script. If you choose to leave it on, you need to initialize all of your global variables before you use them and validate their values before using them.

Posted: Fri Feb 16, 2007 1:34 pm
by Bigun
DrTom wrote:It allows people to initialize global variables as they see fit through the URL. This can cause MAJOR security issues if variables are not properly initialized in the script. If you choose to leave it on, you need to initialize all of your global variables before you use them and validate their values before using them.
Ahh, I've already run my variables through the metaphorical "ringer" already, so... that answers my question.

Posted: Fri Feb 16, 2007 1:39 pm
by nickvd
Bigun wrote:
DrTom wrote:It allows people to initialize global variables as they see fit through the URL. This can cause MAJOR security issues if variables are not properly initialized in the script. If you choose to leave it on, you need to initialize all of your global variables before you use them and validate their values before using them.
Ahh, I've already run my variables through the metaphorical "ringer" already, so... that answers my question.
What happens if you forget to sanitize a variable, or forget to initialize it's value during a late night coding session. It's much simpler to fix your code (register_globals is going to be REMOVED COMPLETELY starting from PHP 6), you would be much better off to start now.

It's also a matter of portability. If your next host refuses to turn register globals on, you code won't work.

Posted: Sun Feb 18, 2007 1:17 pm
by Ambush Commander
Using register globals also opens you to CSRF attacks (get and post almagated as one), incomprehensible code (where the heck is this $variable coming from), and a polluted global namespace.