On Thursday 05 June 2003 01:43, Rouvas Stathis wrote:
> I strongly disagree with that.
> Consider the following code (assuming $foo is 'external' variable):
>
> 1: if ($foo=='yes') transfer_money_to_me();
>
> 2: if ($_GET['foo']=='yes']) transfer_money_to_me();
>
> Why (2) is safer than (1)? Answer: It is *not*.
Consider this slightly more substantial example:
// Case 1: register_globals = on
if ($user == 'me' && $password == 'correct') {
$admin = TRUE;
}
if ($admin) { list_all_members_sordid_details(); }
and
// Case 2: register_globals = off
if ($_GET['user'] == 'me' && $_GET['password'] == 'correct') {
$admin = TRUE;
}
if ($admin) { list_all_members_sordid_details(); }
In case 1, a malicious person can bypass your password checks by passing
admin=1 in the URL.
> As Rasmus has correctly pointed out, the usage of "register_globals=off"
> per se cannot be considered a security measure. If you don't initialize
> and/or check *all* user-supported variables, you're dead. It's as simple
> as that. Is it annoying? Maybe. Is it necessary? *yes*
I tend to think of it as a safety net.
Of course the problems with case 1 could be prevented by explicitly
initialising the variables ...
if ($user == 'me' && $password == 'correct') {
$admin = TRUE; }
else {
$admin = FALSE;
}
... and extra meticulous coding:
if ($admin === TRUE) { list_all_members_sordid_details(); }
Nobody's perfect, heck even MS cannot write safe code (!), so
register_globals=0 gives you a little extra breathing space.
--
Jason Wong -> Gremlins Associates -> www.gremlins.biz
Open Source Software Systems Integrators
* Web Design & Hosting * Internet & Intranet Applications Development *
------------------------------------------
Search the list archives before you post
http://marc.theaimsgroup.com/?l=php-general
------------------------------------------
/*
You can't judge a book by the way it wears its hair.
*/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
