Thank for the extremely quick response,
So setting error_reproting to E_ALL, and making sure you take heed of any
"Undefined variable" notices, will allow you to use register_globals in
safety?
Regards
Dale Robinson
----- Original Message -----
From: "Rasmus Lerdorf" <[EMAIL PROTECTED]>
To: "Dale Robinson" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Sunday, January 21, 2001 7:42 PM
Subject: Re: [PHP] solutions to disadvantages when register_globals is off
> For experienced PHP developers having register_globals on should not be a
> security issue. Injecting arbitrary variables into your symbol table is
> only a problem if you arbitrarily use such variables without initializing
> or checking them for validity.
>
> I think the main point of concern here is that register_globals makes life
> very easy on inexperienced developers and these are the same people most
> likely to do something silly like:
>
> <?
> include $file;
> ...
> ?>
>
> Note that doing:
>
> <?
> include $HTTP_POST_VARS['file'];
> ...
> ?>
>
> really isn't any safer. People won't be able to put file=/etc/passwd
> right in the URL, but they can still trivially fake up a form post and
> inject whatever value for 'file' into the POST data.
>
> It all boils down to verifying any and all user-supplied data.
>
> -Rasmus
>
> On Sun, 21 Jan 2001, Dale Robinson wrote:
>
> > Everyone seems to recommend turning off register_globals, but accessing
them
> > through $HTTP_POST_VARS["var_name"], gets tedious.
> >
> > I haven't found a better solution (not to say there isn't one) than this
> > small snippet.
> >
> > The idea is to turn off "register_globals", as I believe is heavily
> > recommended by the PHP team, and declare what variables you are
expecting on
> > a per script basis.
> > Magic-quotes would also be off. Hopefully this makes all external
variables
> > safe.
> >
> > I was hoping some experienced users would cast their eye over this and
> > suggest any improvements, and comment if it is worth doing at all
> >
> > define("ALLOWABLE_HTML_TAGS", "<B><H1>");
> >
> > function use_ext_var($var_name, $var_location)
> > {
> > global $$var_name, $$var_location;
> >
> > $$var_name = ${$var_location}[$var_name];
> > $$var_name = stripslashes($$var_name);
> > $$var_name = strip_tags($$var_name, ALLOWABLE_HTML_TAGS);
> >
> > }
> >
> > use_ext_var("sample_var", "HTTP_GET_VARS");
> > print $sample_var;
> >
> > How are other people handling this, or are most of you 'lazy' and just
use
> > globals :)
> >
> > Regards
> >
> > D Robinson
> >
> >
> >
> > --
> > PHP General Mailing List (http://www.php.net/)
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> > To contact the list administrators, e-mail: [EMAIL PROTECTED]
> >
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> To contact the list administrators, e-mail: [EMAIL PROTECTED]
>
>
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
