Sure. The idea you have to understand is that nothing from the user can be
trusted. When you are expecting a number and they enter a letter, it may
mess things up and you have to be prepared for that.
With register_globals OFF in your php.ini file, all of the user input is
present in the _GET, _POST, _REQUEST, or _COOKIE array. With
register_globals ON, then the variables are registered as regular variables.
If you have a URL like page.php?id=1, then with them OFF, you have to use
$_GET["id"] to get the value of one, with them ON, you can just use $id.
Neither one is better than the other b/c the user can still just alter the
URL and send a different value. The same is true for cookie and post data,
the user can easily alter that and send whatever kind of data they want. You
have to make sure it's what you think it will be.
One example is say you do a database call to check a username and password.
If they are good, you set an $Authorized variable to 'YES'. Further in the
page, you do if($Authorized == 'YES') { show_good_stuff(); }. Now, with
register_globals ON, the user can easily type in a url like
page.php?Authorized=YES and they are in whether the query passes or not.
With register_globals OFF, the user cannot create a $Authorized variable. If
they try to pass it in the URL, it'll become $_GET["Authorized"], not
$Authorized. Now, this doesn't mean that ON or OFF is better than the other,
it's how you program. You can easily leave register_globals ON and just make
sure you set a value for $Authorized in your script (don't assume it's
value), like before you ever check the username and password, say
$Authorized = FALSE; That way even if the user tries to alter the URL, you
just set it to false regardless, and you're script will be fine.
Hopefully that is clear. If you have any questions let me know. There are
plenty of articles written about this, do a search on google for some or
search the archives. The thing to remember is not to trust any user input
and make sure you know where your variables are coming from.
---John Holmes...
----- Original Message -----
From: "Kurth Bemis (List Monkey)" <[EMAIL PROTECTED]>
To: "1LT John W. Holmes" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Saturday, May 25, 2002 4:07 PM
Subject: Re: [PHP] 4.2.1 Vars
> At 04:00 PM 5/25/2002 -0400, 1LT John W. Holmes wrote:
>
> Actually - i don't understand what the docs at PHP are talking about.
care
> to enlighten me?
>
> ~kurth
>
> >Do you know what the security problems are? Do you realise that having
> >register_globals on or off isn't the security problem, it's how you write
> >your code? If you're not going to change any of your code, just turn on
> >register_globals. Changing your code to _POST or _GET and doing nothing
else
> >isn't making it any more secure that using it the way it is with
> >register_globals on.
> >
> >---John Holmes...
> >
> >----- Original Message -----
> >From: "Kurth Bemis (List Monkey)" <[EMAIL PROTECTED]>
> >To: <[EMAIL PROTECTED]>
> >Sent: Saturday, May 25, 2002 3:23 PM
> >Subject: [PHP] 4.2.1 Vars
> >
> >
> > >
> > > After moving to php 4.2.1 my scripts that use xxx.php?blah=4 fail to
work.
> > >
> > > I know that i need to turn register_globals on in my config, however I
> >know
> > > that there are security problems with this. So bascially I need to
know
> > > how to make 500+ scripts work without editing a bunch of files to make
it
> > > so that all my get and post vars start with $_POST and $_GET
> > >
> > > any ideas?
> > >
> > > ~kurth
> > >
> > > Kurth Bemis - Network/Systems Administrator, USAExpress.net/Ozone
Computer
> > >
> > > Security is like an arms race; the best attackers will continue to
search
> > > for more complicated exploits, so we will too.
> > > Quoted from http://www.openbsd.org/security.html
> > >
> > > [EMAIL PROTECTED] | http://kurth.hardcrypto.com
> > > PGP key available - http://kurth.hardcrypto.com/pgp
> > >
> > > Fight Weak Encryption! Donate your wasted CPU cycles to
Distributed.net
> > > (http://www.distributed.net)
> > >
> > >
> > >
> > > --
> > > PHP General Mailing List (http://www.php.net/)
> > > To unsubscribe, visit: http://www.php.net/unsub.php
> > >
>
>
> Kurth Bemis - Network/Systems Administrator, USAExpress.net/Ozone Computer
>
> "Jedi Business, Go back to your drinks" - Anakin Skywalker, AOTC
>
> [EMAIL PROTECTED] | http://kurth.hardcrypto.com
> PGP key available - http://kurth.hardcrypto.com/pgp
>
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
