Page 1 of 1
register globals possible problems
Posted: Sun Jun 10, 2007 4:33 pm
by flimflam
I have register globals on, but I'm worried about security. I have to keep it on for other reasons so I can't just turn it off. If you go to a url like this: test.php?results[]=1&results[]=2&results[]=3&results[]=4 normally it would override the $results variable when I echo it. But if I assign it a second time, it seems to override the one provided by the url. Is there any way that the variable from the URL can be passed so that it would still be used after the second assign? I know there's other ways to do this, but I'm interested in the way that this works.
Code: Select all
$results = array("dog", "cat", "rat");
$results = array("dog", "cat");
echo count($results);
Posted: Sun Jun 10, 2007 5:07 pm
by Ollie Saunders
It sounds to me like you don't understand what is dangerous about register_globals. It is because you allow a user to define the value of an uninitialized variable.
Code: Select all
<?php
// file.php
if ($something) {
showSensitiveData();
}
can be run with file.php?something=1
Has this inadvertently answered your question?
Posted: Sun Jun 10, 2007 6:35 pm
by flimflam
well that's what I'm saying. If I do this:
Code: Select all
<?php
// file.php
$something=null;
$something=null;
$something = $_POST['something'];
if ($something) {
showSensitiveData();
}
Then it doesn't effect it, there is no APPARENT security problem. I was asking if that works or is there some way around what I"ve come up with.
Posted: Sun Jun 10, 2007 8:00 pm
by bdlang
Your question seems to indicate that you want to use the same variable name for several things but not have the values overwritten. This isn't possible.
The other issue stems from your apparent understanding of the security hole that register_globals makes, but you want to have your cake and eat it too. Whether or not there is a perceived security risk doesn't mean someone can't find one.
Posted: Mon Jun 11, 2007 2:56 am
by Ollie Saunders
flimflam wrote:well that's what I'm saying. If I do this:
Code: Select all
<?php
// file.php
$something=null;
$something=null;
$something = $_POST['something'];
if ($something) {
showSensitiveData();
}
Then it doesn't effect it, there is no APPARENT security problem. I was asking if that works or is there some way around what I"ve come up with.
If you do that you are right. But people forget. One of the principles of security is called "defence in depth" this is where you take multiple measure to ensure something is secure in case one of them fails.
Posted: Mon Jun 11, 2007 8:03 am
by Maugrim_The_Reaper
If possible, turn register_globals off. You can do it a few ways including .htaccess (with mod_php but NOT if PHP is running in CGI mode). There's also
ini_set(). The last is more portable.
If the application requires register_globals to be enabled then check for an updated version, or maybe see if there's an alternative application for what you want, or just patch the application (if you wrote it) so register_globals is not required.
At the end of the day, it's a security risk. Applications which require register_globals to operate carry an inherently higher security risk than those which manually disable register_globals despite the local settings in php.ini.