register globals possible problems

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
flimflam
Forum Newbie
Posts: 2
Joined: Sun Jun 10, 2007 4:25 pm

register globals possible problems

Post by flimflam »

I have register globals on, but I'm worried about security. I have to keep it on for other reasons so I can't just turn it off. If you go to a url like this: test.php?results[]=1&results[]=2&results[]=3&results[]=4 normally it would override the $results variable when I echo it. But if I assign it a second time, it seems to override the one provided by the url. Is there any way that the variable from the URL can be passed so that it would still be used after the second assign? I know there's other ways to do this, but I'm interested in the way that this works.

Code: Select all

$results = array("dog", "cat", "rat");
$results = array("dog", "cat");
echo count($results);
User avatar
Ollie Saunders
DevNet Master
Posts: 3179
Joined: Tue May 24, 2005 6:01 pm
Location: UK

Post by Ollie Saunders »

It sounds to me like you don't understand what is dangerous about register_globals. It is because you allow a user to define the value of an uninitialized variable.

Code: Select all

<?php
// file.php
if ($something) {
    showSensitiveData();
}
can be run with file.php?something=1

Has this inadvertently answered your question?
flimflam
Forum Newbie
Posts: 2
Joined: Sun Jun 10, 2007 4:25 pm

Post by flimflam »

well that's what I'm saying. If I do this:

Code: Select all

<?php
// file.php
$something=null;
$something=null;
$something = $_POST['something'];
if ($something) {
    showSensitiveData();
}
Then it doesn't effect it, there is no APPARENT security problem. I was asking if that works or is there some way around what I"ve come up with.
bdlang
Forum Contributor
Posts: 395
Joined: Tue May 16, 2006 8:46 pm
Location: Ventura, CA US

Post by bdlang »

Your question seems to indicate that you want to use the same variable name for several things but not have the values overwritten. This isn't possible.

The other issue stems from your apparent understanding of the security hole that register_globals makes, but you want to have your cake and eat it too. Whether or not there is a perceived security risk doesn't mean someone can't find one.
User avatar
Ollie Saunders
DevNet Master
Posts: 3179
Joined: Tue May 24, 2005 6:01 pm
Location: UK

Post by Ollie Saunders »

flimflam wrote:well that's what I'm saying. If I do this:

Code: Select all

<?php
// file.php
$something=null;
$something=null;
$something = $_POST['something'];
if ($something) {
    showSensitiveData();
}
Then it doesn't effect it, there is no APPARENT security problem. I was asking if that works or is there some way around what I"ve come up with.
If you do that you are right. But people forget. One of the principles of security is called "defence in depth" this is where you take multiple measure to ensure something is secure in case one of them fails.
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Post by Maugrim_The_Reaper »

If possible, turn register_globals off. You can do it a few ways including .htaccess (with mod_php but NOT if PHP is running in CGI mode). There's also ini_set(). The last is more portable.

If the application requires register_globals to be enabled then check for an updated version, or maybe see if there's an alternative application for what you want, or just patch the application (if you wrote it) so register_globals is not required.

At the end of the day, it's a security risk. Applications which require register_globals to operate carry an inherently higher security risk than those which manually disable register_globals despite the local settings in php.ini.
Post Reply