subject:"\[PHP\] PHP 5 Strings are References\?\!"

Re: [PHP] PHP 5 Strings are References?!

2005-04-05 Thread Richard Lynch

On Wed, March 30, 2005 6:48 am, Jochem Maas said:
 I don't really think that's relevant, however, as PHP is storing $name
 back *IN* to my $_SESSION data, just because I did:
 $name = $_SESSION['name'];
 $name = Fooey;

 $name is a STRING.

 It's not an object.

 It should *NOT* be a Reference!

 But it is a Reference, so changing $name alters $_SESSION['name']

Perhaps I'm being overly paranoid...

Consider the following, however.

Fact: One should not trust $_GET data, and should scrub it.

Fact: I'm on a shared server.

Fact: By definition, if *my* PHP script can read my session data, so can
*another* user's script on that server.

Thus, I had intended to 'scrub' session data with things like:

?php
  session_start();
  $name = $_SESSION['name'];
  $name = preg_replace('/[^A-Za-z \',\\.-]/', $name);
  if ($name != $_SESSION['name']){
// assume they are Bad People.
  }
?

Needless to say, this isn't gonna do crap with this bug in PHP 5.0.3
making strings into references.

For the short term, I'm trusting session data (but not GET/POST, duh).

I suspect I could do:
$name = '' . $_SESSION['name'];
or somesuch to force the string to not be a reference.

But PHP doesn't *HAVE* strings as references.

I filed a bug report, but sniper's response was pretty much the same
auto-response register_globals

OTOH, he said it was fixed in CVS, so I guess it was only in 5.0.3???

Am I over-reacting?

I don't think so.

It's a nasty little bug that will completely bypass security measures to
scrub SESSION data, as described above.

I haven't really probed into this, to see how far / long the reference
nature of the string extends.

Perhaps the preg_replace would create a copy of the string...  Or not.  Or
maybe it would depend on if anything got replaced or not.  Or...

Sorry to reply so late, but I've been a tad busy lately, and just caught
up on PHP-General tonight.  [looks at watch]  Errr, make that this
morning, I guess. :-v

-- 
Like Music?
http://l-i-e.com/artists.htm

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] PHP 5 Strings are References?!

2005-03-30 Thread Jochem Maas

Chris wrote:
Richard Lynch wrote:

On Tue, March 29, 2005 7:58 pm, Chris said:
 

Richard Lynch wrote:
  
...
Are you sure you don't have register_globals enabled?
  
I tested Richards reproduce script on php 5.0.3 on a Debian
machine with the following ini settings:
register_globals = Off
register_long_arrays = Off
register_argc_argv = Off
magic_quotes_gpc = Off
magic_quotes_runtime = Off
(i.e. all relevant ini settings are php5 defaults)
and I get the same freakin' references from/in the SESSION array.

Actually, they *ARE* enabled by my webhost.
I don't really think that's relevant, however, as PHP is storing $name
back *IN* to my $_SESSION data, just because I did:
$name = $_SESSION['name'];
$name = Fooey;
$name is a STRING.
It's not an object.
It should *NOT* be a Reference!
But it is a Reference, so changing $name alters $_SESSION['name']
 

Sorry, meant to reply to list, not just you.
All I'm saying is that Sessions act extremely oddly with 
register_globals enabled.

With register_globals on I believe the global variable, acts as a 
reference. It's not because it's a string, it's because it's a session 
variable, and it needs to keep track of changes to the variable.
I agree with Chris that register_globals can only cause more pain and 
misery :-/
but in this case the problem exists regardless of register_globals setting.
here is a func I sometimes use when going to war with a register_globals=On 
server :-)
nothing special and I blagged the idea from somewhere/someone (probably in the
user comments somewhere in the php manual :-/)
function unRegisterGlobals()
{
if (ini_get('register_globals')) {
$SGs = array($_SERVER, $_ENV, $_FILES, $_COOKIE, $_POST, $_GET);
if (isset($_SESSION)) { array_unshift($SGs, $_SESSION); }
// SG == super global
foreach ($SGs as $sg) {
foreach ($sg as $k = $v) { unset($GLOBALS[ $k ]); }
}
ini_set('register_globals', false);
}
}


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] PHP 5 Strings are References?!

2005-03-29 Thread Richard Lynch

Aha!

Okay, here's the previous session question boiled down to its simplest:

?php
  session_start();
  if (!isset($_SESSION['name'])){
$_SESSION['name'] = 'Richard Lynch';
  }
  else{
$name = $_SESSION['name'];
  }
  /* Assume a ton of code goes here */
  $name = 'Fooey';
  echo Session name is: , $_SESSION['name'], br /\n;
?

Now, hit this page, re-load it, and what do *YOU* expect $_SESSION['name']
to output?

A) 'Richard Lynch', because you never re-assigned $_SESSION['name']
B) 'Fooey' because $name is a reference, and you changed it, so that
changed your session data.

*I* expected A)
Alas, the reality is B)

G.  I do *NOT* want all my strings to suddenly turn into pointers.
 If I wanted that kind of headache, I'd be coding in C! :-)

I should have known this from the get-go, when I saw  in my session data
with var_dump($_SESSION);  *WHY* are strings suddenly turning into
references?  They're *NOT* objects!

I'm about to go re-read the PHP 5 sections of the manual with a fine-tooth
comb to see if I just missed this as an upgrade issue.

It's pretty much going to break a hell of a lot of scripts, that's for sure.

Somebody please tell me this is a Bug, not a Feature

PHP 5.0.3
FreeBSD 5.3-RELEASE

-- 
Like Music?
http://l-i-e.com/artists.htm

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] PHP 5 Strings are References?!

2005-03-29 Thread Chris

Richard Lynch wrote:

On Tue, March 29, 2005 7:58 pm, Chris said:
 

Richard Lynch wrote:
   

Aha!
Okay, here's the previous session question boiled down to its simplest:
?php
session_start();
if (!isset($_SESSION['name'])){
  $_SESSION['name'] = 'Richard Lynch';
}
else{
  $name = $_SESSION['name'];
}
/* Assume a ton of code goes here */
$name = 'Fooey';
echo Session name is: , $_SESSION['name'], br /\n;
?
Now, hit this page, re-load it, and what do *YOU* expect
$_SESSION['name']
to output?
A) 'Richard Lynch', because you never re-assigned $_SESSION['name']
B) 'Fooey' because $name is a reference, and you changed it, so that
changed your session data.
*I* expected A)
Alas, the reality is B)
G.  I do *NOT* want all my strings to suddenly turn into
pointers.
If I wanted that kind of headache, I'd be coding in C! :-)
I should have known this from the get-go, when I saw  in my session data
with var_dump($_SESSION);  *WHY* are strings suddenly turning into
references?  They're *NOT* objects!
I'm about to go re-read the PHP 5 sections of the manual with a
fine-tooth
comb to see if I just missed this as an upgrade issue.
It's pretty much going to break a hell of a lot of scripts, that's for
sure.
Somebody please tell me this is a Bug, not a Feature
PHP 5.0.3
FreeBSD 5.3-RELEASE

 

Are you sure you don't have register_globals enabled?
   

Actually, they *ARE* enabled by my webhost.
I don't really think that's relevant, however, as PHP is storing $name
back *IN* to my $_SESSION data, just because I did:
$name = $_SESSION['name'];
$name = Fooey;
$name is a STRING.
It's not an object.
It should *NOT* be a Reference!
But it is a Reference, so changing $name alters $_SESSION['name']
 

Sorry, meant to reply to list, not just you.
All I'm saying is that Sessions act extremely oddly with 
register_globals enabled.

With register_globals on I believe the global variable, acts as a 
reference. It's not because it's a string, it's because it's a session 
variable, and it needs to keep track of changes to the variable.

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] PHP 5 Strings are References?!

Re: [PHP] PHP 5 Strings are References?!

[PHP] PHP 5 Strings are References?!

Re: [PHP] PHP 5 Strings are References?!

4 matches

Site Navigation

Mail list logo

Footer information