PHP Security Blog wrote:Tobias Schlitt gave me a link to the article 10 Tips That Every PHP Developer Should Know, Part 2 by Jeffery Vaska that recently appeared on phpbuilder.com. I was kinda shocked when I saw Tip #5, that describes howto deal with $_GET and $_POST. It mentions that a developer can use extract($_POST) to eliminate the need of assigning every single entry manually. It also mentions:
This is a matter of
convenience and is not always a best practice.
It completely fails to mention, that using extract() without using prefixes or the parameter EXTR_SKIP is usually a very big security hole, because it allows an external attacker to overwrite every variable, including the superglobals (unless you use the Hardening-Patch) and this can lead in many cases to SQL injection or even Remote Code Execution Vulnerabilities.
Gulftech has recently released an advisory for Squirrelmail, that describes exactly such an extract($_POST) flaw.
Yup. The issue is really that unchecked/unverified user-input is assigned to PHP variables. extract(), however, is, from my experience, more commonly used than parse_str().
For superglobals (e.g. $_POST, $_GET, $_REQUEST etc.) it's a gaping security hole waiting to be exploited. Don't use extract/parse_str on them as these functions blindly assign unchecked values.
Well, not on their own, I mean, but they've been the center of a lot of wholes relating to other functions that use them. I believe PHP.net's website mentioned to turn off Superglobals at one time, and even had them turned off as default in their installs (before Php5 of course... This is all Php4). I've been playing with PHP since PHP3... Yet I still haven't given PHP enough time to learn it X_x.