----- Original Message ----- From: "Miguel Cruz" <[EMAIL PROTECTED]> To: "Patrick Hsieh" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Thursday, May 09, 2002 11:52 AM Subject: Re: [PHP] register_globals in php4
> On Fri, 10 May 2002, Patrick Hsieh wrote: > > php4.1 recommends to set register_globals=off in php.ini to make php > > more strict. My question is, if I turn off register_globals, what will > > happen if any malicious user just try to modify the variable values in > > the url? Say, > > > > http://www.domain.com/xxx.php?id=3&sex=female > > > > Does it work if user just change the value in the URL directly and send > > the url directly to web server? > > > > How can we avoid the malicious attack by directly http GET/POST with > > modified parameter values to make possible system error or compromise? > > If register_globals is off, then you'll get $_GET['id'] = 3 and > $_GET['sex'] = female. It's then up to you to make sure those are okay. > But at least $id and $sex won't get set until you explicitly set them in > your code. > > miguel > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php Hmm. No offense Miguel, but I don't believe turning Registered Globals off will have any effect on security. Turning Registered Globals off just provides a more strict environment for coding. Example.. If the url were http://www.dom.com/index.php?password=xuUaB67sf <? if (isset($_GET['password'])) // Registered globals off. { $password = $_GET['password']; echo $password; } ?> .. is no more or less secure than.. <? if (isset($password)) // Registered globals on. { echo $password; } ?> > > How can we avoid the malicious attack by directly http GET/POST with > > modified parameter values to make possible system error or compromise? Security in this regard has everything to do with ensuring that the input you're recieving is what you expect. Some good tips would be to define maximum string lengths, check for legal variable types, and look for invalid characters. If something doesn't look right then you simply don't allow the request to proceed. Example.. <? function validate($str) { $max_len = 15; $str_len = strlen($str); if ($str_len > $max_len) return FALSE; elseif (gettype($str) != "string") return FALSE; elseif (eregi(/whatever you think might be invalid/, $str)); return FALSE; else return TRUE; } if (validate($password)) { echo $password; } else { echo "INVALID INPUT"; exit; } ?> Generally speaking this will be more than adequate. But if you want to get serious then you can record a timestamp and IP/domain for every transaction on your website then auto-block any user spamming your system. For example, if someone is trying out passwords over and over again, after 3 consecutive tries your system could block the transaction and print out a warning. After 3 batches of 3 consecutive tries the system could block the user and email you a notice. But becuase this user information can be faked the most sophisticated systems.. the ones that corporations install behind their firewalls and cost $20,000 for the installation alone, actually record and analyze patterns of behavior using neural net software. -Kevin -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
