Now I understand! I hadn't twigged to the danger of _internal_ variables
getting overwritten by bogus get/post variables.
Thanks to you all.
Euan
"Rasmus Lerdorf" <[EMAIL PROTECTED]> wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > Actually it's not "dangerous" per se.
> >
> > However if can be very dangerous if you aren't being careful in your
code,
> > for instance, consider this.
> >
> > Let's say I've conditionally set $sql somewhere else in the code based
upon
> > certain conditions, which works fine. But let's say those conditions
aren't
> > met so $sql doesn't get set to anything since it's not really used. Now
> > consider this code:
> >
> > if ($sql)
> > {
> > $result = mysql_query($sql);
> > }
> >
> > Now that would be fine for all normal instances. But now what if someone
> > appends this onto the end of your url:
> >
> > ?query=
> >
> > ...plus something like "DROP databasename". It doesn't take too much
> > imagination to see what kind of things could happen if someone just had
a
> > little bit of knowledge about how your code works.
> >
> > Thus you have two options. One is of course to turn register_globals
off,
> > but ALWAYS ALWAYS _ALWAYS_ set a default for every variable you refer to
in
> > your script at some point before doing anything with it. So if you use
$sql
> > be 100% sure that it has been set $sql explicitly in your code before
doing
> > anything with it.
>
> Whether you turn register_globals off or not, you need to always watch
> cases like this. I have seen many people say that register_globals is
> inherently insecure and then they turn it off and go through and use
> something like $HTTP_POST_VARS['sql'] everywhere they used to use $sql.
> This only makes it slightly more tedious to inject bogus variables into
> since the attacker now needs to make a trivial little form to inject stuff
> into the POST data instead of just sticking it onto the URL.
> Security-wise there is no difference whatsoever.
>
> Never never never trust user-supplied data implicitly. Always check
> anything that could possibly come from the user. For internal variables,
> always initialize them and just generally think things through as you
> write your scripts. This is no different in PHP than in any other
> scripting language used for web work.
>
> -Rasmus
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> To contact the list administrators, e-mail: [EMAIL PROTECTED]
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
