Re: [PHP] solutions to disadvantages when register_globals is off

Sun, 21 Jan 2001 11:28:31 -0800 

For experienced PHP developers having register_globals on should not be a
security issue.  Injecting arbitrary variables into your symbol table is
only a problem if you arbitrarily use such variables without initializing
or checking them for validity.

I think the main point of concern here is that register_globals makes life
very easy on inexperienced developers and these are the same people most
likely to do something silly like:

<?
    include $file;
    ...
?>

Note that doing:

<?
    include $HTTP_POST_VARS['file'];
    ...
?>

really isn't any safer.  People won't be able to put file=/etc/passwd
right in the URL, but they can still trivially fake up a form post and
inject whatever value for 'file' into the POST data.

It all boils down to verifying any and all user-supplied data.

-Rasmus

On Sun, 21 Jan 2001, Dale Robinson wrote:

> Everyone seems to recommend turning off register_globals, but accessing them
> through $HTTP_POST_VARS["var_name"], gets tedious.
>
> I haven't found a better solution (not to say there isn't one) than this
> small snippet.
>
> The idea is to turn off "register_globals", as I believe is heavily
> recommended by the PHP team, and declare what variables you are expecting on
> a per script basis.
> Magic-quotes would also be off. Hopefully this makes all external variables
> safe.
>
> I was hoping some experienced users would cast their eye over this and
> suggest any improvements, and comment if it is worth doing at all
>
> define("ALLOWABLE_HTML_TAGS", "<B><H1>");
>
> function use_ext_var($var_name, $var_location)
> {
>     global $$var_name, $$var_location;
>
>     $$var_name = ${$var_location}[$var_name];
>     $$var_name = stripslashes($$var_name);
>     $$var_name = strip_tags($$var_name, ALLOWABLE_HTML_TAGS);
>
> }
>
> use_ext_var("sample_var", "HTTP_GET_VARS");
> print $sample_var;
>
> How are other people handling this, or are most of you 'lazy' and just use
> globals :)
>
> Regards
>
> D Robinson
>
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> To contact the list administrators, e-mail: [EMAIL PROTECTED]
>


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to