Re: [PHP-DEV] Security Issues

Tue, 24 Jul 2001 20:03:38 -0700 

Setting register_globals to off (which is highly recommended) would prevent 
PHP from defining form variables as global variables.  For quite a while, 
since the PHP 3.0 times, PHP provided an alternative way of accessing 
variables - using special designated arrays - $HTTP_POST_VARS, 
$HTTP_GET_VARS, and so forth.  As of PHP 4.0.3 (IIRC), these variables are 
always defined, and are protected (to a degree) by PHP.  Setting 
register_globals to off effectively prevents any outer access to your 
namespace, outside $HTTP_*_VARS[].

Zeev

At 12:28 24/07/2001, PHP wrote:

>Hey all,
>
>         I am new to this list so if this topic has already been beaten to 
> death let me know.
>
>         I assume that many of you have already read this article
>
>         http://lwn.net/2001/0704/a/study-in-scarlet.php3 
>
>
>         about many of the basic security risks you need to be aware of 
> when developing in PHP.  I was curious what ideas have already been 
> covered in the areas of stopping this.  I also wanted to offer up my own 
> suggestion.
>
>         It seems that all the issues arise from the feature that sets PHP 
> variable to be form variables.  The cleanest solution I can think of 
> (albeit it breaks backward compatibility) would be to split the 
> names-pace of form variables.  If normal or session variable stayed as 
> $foo and $bar then form variables would be %foo and %bar, or something 
> similar.   Breaking backward compatibility is bad but it would allow 
> future applications to be free of these dangers and could be something 
> set in the php.ini or rather a directive in the php script to allow old 
> an new style scripts on the same server.
>
>         If there is work already being done in this area please point me 
> to where I can read more about it.  PHP is far and away the best web 
> development language and is really only hindered by security issues like this.
>
>         Orion
>
>
>
>--
>PHP Development Mailing List <http://www.php.net/>
>To unsubscribe, e-mail: [EMAIL PROTECTED]
>For additional commands, e-mail: [EMAIL PROTECTED]
>To contact the list administrators, e-mail: [EMAIL PROTECTED]

--
Zeev Suraski <[EMAIL PROTECTED]>
CTO &  co-founder, Zend Technologies Ltd. http://www.zend.com/


-- 
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to