On Wed, 2003-06-04 at 10:43, Rouvas Stathis wrote: > Armand Turpel wrote: > > > > > On Wed, 4 Jun 2003, Jay Blanchard wrote: > > > > [snip] > > > > Have register globals set to ON is one way of leaving your script open > > > > to being exploitable. > > > > [/snip] > > > > > > > > Please explain this, how does it make it more exploitable? I think that > > > > this is only true if the code is sloppy. > > > > > > Correct, if you properly initialize your internal variables there is > > > nothing insecure about leaving register_globals on. > > > > But how you know, if you have a few tausends of php code lines, which part > > have some sloppy code. Nobody is perfect. In my opinion you should turn > > register_globals to off if it's possible. It's much more secure. > > I strongly disagree with that. > Consider the following code (assuming $foo is 'external' variable):
I think his point had more to do with the fact that there is some benefit to having register_globals = off in that everybody is going to screw up sometime, and with register_globals = off at least you have a bit more help when you do. >From my point of view, this whole thing is being looked at the wrong way 'round. The question shouldn't be "what is the advantage of register_globals = off?", but "what is the advantage of register_globals = on?" The answer, of course, is that there isn't any. While the advantages of 'off' have been way overblown, at least there are some. :) Torben > 1: if ($foo=='yes') transfer_money_to_me(); > > 2: if ($_GET['foo']=='yes']) transfer_money_to_me(); > > Why (2) is safer than (1)? Answer: It is *not*. > > As Rasmus has correctly pointed out, the usage of "register_globals=off" > per se cannot be considered a security measure. If you don't initialize > and/or check *all* user-supported variables, you're dead. It's as simple > as that. Is it annoying? Maybe. Is it necessary? *yes* > > Anyway, IIRC the whole issue of register_globals started when some guy > presented a paper named "A Study in Scarlet". A whole lot of issues > where presented in that paper, which in my opinion, have been blown > quite out of perspective. register_globals is one of them. > > Oh boy, this is starting to look like an urban myth : "-Hey do you know > that register_globals=on is bad? - Really? -Yeah, and you know what? It > allows the bad boys do eeeevil things". > > -Stathis. > > > > > > > > > -Rasmus > > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
