Addressed to: Rasmus Lerdorf <[EMAIL PROTECTED]>
<[EMAIL PROTECTED]>
> Or you can simply stop these people from using PHP which is another
> effect turning off register_globals will have.
>
> Java does not have this problem because Java is so complex that this
> same set of users can not program in Java. Fixing this problem by
> making PHP more complex and eliminating these "problem" users is a bad
> idea as far as I am concerned.
YES!!
As I see it the whole issue revolves around the fact that some people
get used to the fact that undefined variables have a value, and rely on
it. These are the people who get hit when a hacker slips in his own
value in on such variables. If the programmer had just initialized
the variable at the top of the program, there would not be a problem.
I think the best thing you could do about this issue is:
1. ALWAYS report the use of an uninitialized variable, no matter what
level of error checking is in effect. At the very least send a message
to the error_log for every undefined variable. If the error level allows
it also complain to the browser and send an email to ServerAdmin. That
won't break any existing scripts, but depending on the text of the
email, it could give system administrators incentive to correct problem
scripts. [1] The 'send email' default should be on in the distribution.
2. Make it a FATAL error. Too bad that would break so many scripts...
Maybe it could be a major effect of the E_SECURE bit. On the other
hand, if you are serious about stamping out the uninitialized variable
problem, this will do it.
Register Globals is very convienent for people who write code with
PHP. Turning it off would be a great loss. The problem is not that
values passed to the server appear as variables, it is that some
programmers don't make sure they initialize every variable before they
use it.
-----------------------------------------------------------
[1]:
To: System Administrator <[EMAIL PROTECTED]>
From: [EMAIL PROTECTED]
Subject: Potential Security Problem in a PHP Script
Warning: an undefined variable $I was accessed in myscript.php on line
123. This could be a serious security problem. For more information
see:
http://www.php.net/manual/en/security.uninitialized.php
In most cases you can correct this error by simply adding $I = 0;
somewhere before you attempt to use its value. If line 123 is within a
loop, be sure to initialize the value before the beginning of the loop.
A simple way to handle this is to initialize all variables you get this
warning on at the very top of the script.
You can stop these emails by removing E_UNINIT_EMAIL from
error_reporting in your php.ini file. This problem has serious security
implications and should not be ignored. Please read the web page listed
above before you decide what to do.
Rick Widmer
Internet Marketing Specialists
http://www.developersdesk.com
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
