OK, so I was really bored today and started reading through some PHP
security stuff starting with the php.ini-recommended and found the register
globals off stuff. So you don't have to find it yourself, here's a direct
lift from the file:
; This is the recommended, PHP 4-style version of the php.ini-dist file. It
; sets some non standard settings, that make PHP more efficient, more
secure,
; and encourage cleaner coding.
; The price is that with these settings, PHP may be incompatible with some
; applications, and sometimes, more difficult to develop with. Using this
; file is warmly recommended for production sites. As all of the changes
from
; the standard settings are thoroughly documented, you can go over each one,
; and decide whether you want to use it or not.
;
; For general information about the php.ini file, please consult the
php.ini-dist
; file, included in your PHP distribution.
;
; This file is different from the php.ini-dist file in the fact that it
features
; different values for several directives, in order to improve performance,
while
; possibly breaking compatibility with the standard out-of-the-box behavior
of
; PHP 3. Please make sure you read what's different, and modify your
scripts
; accordingly, if you decide to use this file instead.
;
; - register_globals = Off [Security, Performance]
; Global variables are no longer registered for input data (POST, GET,
cookies,
; environment and other server variables). Instead of using $foo, you
must use
; you can use $_REQUEST[foo] (includes any variable that arrives
through the
; request, namely, POST, GET and cookie variables), or use one of the
specific
; $_GET[foo], $_POST[foo], $_COOKIE[foo] or $_FILES[foo],
depending
; on where the input originates. Also, you can look at the
; import_request_variables() function.
; Note that register_globals is going to be depracated (i.e., turned off
by
; default) in the next version of PHP, because it often leads to
security bugs.
; Read http://php.net/manual/en/security.registerglobals.php for further
; information.
I understand that this applies to data put into a form to be submitted to a
database (or another page, I guess), but does it also apply to
variable/value pairs passed along the URL from a hyperlink (a
href=foo/bar.php?thisVar=thisValClick here./a)? I couldn't quite get it
from the explanation above. Would I need to reference the passed variable
with $_GET[thisVal] on the receiving page (bar.php)? I'm sure I would have
to if $thisVar was passed from a form with the GET method, but wasn't sure
about the hyperlink stuff.
Anybody working with register globals off already that can clear this up?
Thanks,
Rich
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
