On Wednesday 01 August 2001 13:54, Yasuo Ohgaki wrote:
> > I don't think this is much of a problem. I unset() all the global
>
> session
>
> > variables before I use them so this should be no problem.
>
> All inputs (GET/POST/COOKIE) from users must be checked if you worriy
> about security. You might done already.
>
> > Even if an attacker tries to set some value for a script variable,
>
> this var
>
> > will be unset() and then read from the session, so no harm is done.
> >
> > On the other hand there should be no probelem to change GLOBALS to
> > HTTP_XXX_VARS.
>
> The reason why I recommend to set register_globals=off, is it's a lot
> easier to write secure code with register_globals=off.
Yes I know, but if those scripts are going to be used on different servers,
with differnet type of php coders, you can't be sure what is the value of
register_globals (actually, some scripts need it to be on). So it is a little
work, but you can be sure that your script will work everywhere.
Basically it is a good idea not to write scripts that depent on php's
settings to make sure that they'll work everywhere.
Take for example the value of magic_quote_gpc. To be sure that your script
will work correctly, don't assume that it is alywas on (or off). So
you can write
if (!get_magic_qoute_gpc()) addslashes($var);
or write a function myaddslashes that does the same thing.
> I also recommend you use error_reporting=E_ALL, since it seems you
> care about security. Scripts that I write will catch all
> error/warning/notice as fatal error and displays a page telling "There
> is critical error. Details are sent to system administrator." They
> catch most of errors including malformed user inputs, system errors
> like cannot open connections, etc and display appropriate error page.
> They never raise any PHP error/warning/notice unless there is
> something really wrong.
Thanks of this tip :-)
> By the way, my codes posted at zend.com will not catch all errors. I
> didn't put complete sources there. It will be too long for an example
>
> :)
> :
> > But as i've said this isn't a problem. Can you see some way to
>
> exploit the
>
> > eval() function ?
>
> I cannot tell if your script is exploitable or not.
> Just too little info to tell that.
Is this staement safe ?
eval('$a = $GLOBALS["pass1"]==$GLOBALS["pass2"]');
I've tried different kind of inputs to execute arbitrary php code, but found
no such exploit. Maybe you can see something that I can't.
> Refer to another my reply, I guess you'll get my point.
>
> Regards,
> --
> Yasuo Ohgaki
Thanks
--
Kriheli Meir
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
