Re: [PHP] Re: Using register_globals
I'm a bit of a neophyte with php, and I've read through lots of prior posts and the php.net online docs, but some of this is still not registering in my head. TIA for your patience. I've got a script I include at the head of each of my scripts that checks $_POST['username'] and $_POST['password'] against a database, and exits to an error page if it doesn't check out. Every link is a post where it passes these two values. So if you open any page in the whole thing it has to have the actual value of a real username and password or it exits to an error page asking for these values. This seems to have been working fine, but when I installed a newer version of php it started making noise about register globals being off. Upon further reading, it seems SESSIONS are insecure, COOKIES are insecure, POSTS and GETS are insecure. It seems to me that you would have to write some exceptionally stupid code for these things to be really openly insecure, so I must be missing something. After a point it seems like if you leave your machine off or disconnect it from the network that would be the most secure but you have to pass this info somehow. What is the accepted practice for passing user info into variables? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Using register_globals
Won't this topic just die? :) register_globals is not insecure, users are insecure. Yes, you can write insecure code with it on or off, and secure code with it on or off. By users I mean people who write code, and people who use it (the evil users are the ones that use the website, and pass along evil REQUEST data). In short, read these: http://www.php.net/variables.external http://www.php.net/security.registerglobals It should be pretty clear that register_globals = off is preferred but it's up to you, this is why we have PHP directives. Turning of your computer is indeed the ideal security measure! Regards, Philip On Thu, 12 Jun 2003, Jim McNeely wrote: I'm a bit of a neophyte with php, and I've read through lots of prior posts and the php.net online docs, but some of this is still not registering in my head. TIA for your patience. I've got a script I include at the head of each of my scripts that checks $_POST['username'] and $_POST['password'] against a database, and exits to an error page if it doesn't check out. Every link is a post where it passes these two values. So if you open any page in the whole thing it has to have the actual value of a real username and password or it exits to an error page asking for these values. This seems to have been working fine, but when I installed a newer version of php it started making noise about register globals being off. Upon further reading, it seems SESSIONS are insecure, COOKIES are insecure, POSTS and GETS are insecure. It seems to me that you would have to write some exceptionally stupid code for these things to be really openly insecure, so I must be missing something. After a point it seems like if you leave your machine off or disconnect it from the network that would be the most secure but you have to pass this info somehow. What is the accepted practice for passing user info into variables? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Using register_globals
[snip] rant register_globals=off won't make good code any better --it's just a safety net for the sloppy coders. [snip] In some sense, register_globals = off makes both bad and good code better, because it means less pollution. So many unused variables get defined with register_globals on and this means wasted memory/resources. Pollution makes any environment worse! Granted this isn't what you meant, but still... ;) Regards, Philip -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Using register_globals
On 08-Jun-2003 Philip Olson wrote: [snip] rant register_globals=off won't make good code any better --it's just a safety net for the sloppy coders. [snip] In some sense, register_globals = off makes both bad and good code better, because it means less pollution. So many unused variables get defined with register_globals on and this means wasted memory/resources. Pollution makes any environment worse! Granted this isn't what you meant, but still... ;) Also true. On namespace pollution --based on some of the replies I've seen on the list, there's a sizable number of neophyte (and too many veteran) coders that are starting scripts with: ?php extract($_GET); extract($_POST); extract($_COOKIE); ... And so far, I don't recall anybody mention that you need to unset($admin, $internal_var, $nukenewyork, ...) afterwards. So nothing's really changed. Bad code will mysteriously go tits-up (or worse) and good code will keep on cranking. No matter what register_globals= is set to. Regards, -- Don Read [EMAIL PROTECTED] -- It's always darkest before the dawn. So if you are going to steal the neighbor's newspaper, that's the time to do it. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Using register_globals
On 08-Jun-2003 Philip Olson wrote: [snip] rant register_globals=off won't make good code any better --it's just a safety net for the sloppy coders. [snip] In some sense, register_globals = off makes both bad and good code better, because it means less pollution. So many unused variables get defined with register_globals on and this means wasted memory/resources. Pollution makes any environment worse! Granted this isn't what you meant, but still... ;) Also true. On namespace pollution --based on some of the replies I've seen on the list, there's a sizable number of neophyte (and too many veteran) coders that are starting scripts with: ?php extract($_GET); extract($_POST); extract($_COOKIE); ... And so far, I don't recall anybody mention that you need to unset($admin, $internal_var, $nukenewyork, ...) afterwards. So nothing's really changed. Bad code will mysteriously go tits-up (or worse) and good code will keep on cranking. No matter what register_globals= is set to. Anyone that would suggest using extract() like that would only do so to quickly make a register_globals dependent script work (using .htaccess would be preferred there). I doubt people actually do that for new code, well, at least anyone with half a brain. Regards, Philip -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Using register_globals
On 04-Jun-2003 Jason Wong wrote:
In case 1, a malicious person can bypass your password checks by passing
admin=1 in the URL.
As Rasmus has correctly pointed out, the usage of register_globals=off
per se cannot be considered a security measure. If you don't initialize
and/or check *all* user-supported variables, you're dead. It's as simple
as that. Is it annoying? Maybe. Is it necessary? *yes*
I tend to think of it as a safety net.
Of course the problems with case 1 could be prevented by explicitly
initialising the variables ...
if ($user == 'me' $password == 'correct') {
$admin = TRUE; }
else {
$admin = FALSE;
}
True. If everybody initialized variables or PHP errored out on
undeclared vars then the question wouldn't have come up.
... and extra meticulous coding:
if ($admin === TRUE) { list_all_members_sordid_details(); }
Using a global like that could be an example of problem code.
Sensitive stuff should be within a well defined routine:
function isadmin() {
global $PHP_AUTH_USER, $PHP_AUTH_PW;
static $admlogin=FALSE, $didit=FALSE;
if ($didit)
return($admlogin);
$didit=TRUE;
if ((strcmp($PHP_AUTH_USER, ADMINNAME) |
strcmp($PHP_AUTH_PW, ADMINPASS)) == 0 )
$admlogin=TRUE;
return($admlogin);
}
...
if (isadmin()) ...
rant
register_globals=off won't make good code any better --it's just
a safety net for the sloppy coders.
The real lesson is: Don't be (or hire) a sloppy programmer.
I understand why the PHP team made reg_g=off as the default. I don't
like it, but i understand why.
The main thing I don't like is that it seems to coddle the LCD of
bad code.
A craftsman rarely learns good practice if s/he is insulated from the
results of bad practice.
/rant
IMHO, of course.
Regards,
--
Don Read [EMAIL PROTECTED]
-- It's always darkest before the dawn. So if you are going to
steal the neighbor's newspaper, that's the time to do it.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Using register_globals
If it's a preference it's a bad one. Have register globals set to ON is one way of leaving your script open to being exploitable. I would suggest that if you really need to use that code then either modify it or write something from scratch and use that code as a guide line. search php.net for register globals and the warnings associated with it. Bobby Todd Cary [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] I have noticed that quite a few applications are designed with the assumption that register_globals = Yes; in other words, the application does not use $HTTP_xxx_VARS. In contrast, I always retrieve my vars. Is there a preference? Todd -- I have noticed that quite a few applications are designed with the assumption that register_globals = Yes; in other words, the application does not use $HTTP_xxx_VARS. In contrast, I always retrieve my vars. Is there a preference? Todd -- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Re: Using register_globals
[snip] Have register globals set to ON is one way of leaving your script open to being exploitable. [/snip] Please explain this, how does it make it more exploitable? I think that this is only true if the code is sloppy. Thanks! Jay -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Using register_globals
It's true that register_globals being on only makes sloppy code more insecure. Most people aren't going to write perfect code, though. It's incredibly annoying to have to unset every variable that shouldn't be from an outside source. Even if you do so, it's very likely that you will forget one variable on one page. It will, of course, be the variable allowing admins to blow up a nuclear bomb over New York. :) Jay Blanchard wrote: [snip] Have register globals set to ON is one way of leaving your script open to being exploitable. [/snip] Please explain this, how does it make it more exploitable? I think that this is only true if the code is sloppy. Thanks! Jay -- The above message is encrypted with double rot13 encoding. Any unauthorized attempt to decrypt it will be prosecuted to the full extent of the law. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Re: Using register_globals
On Wed, 4 Jun 2003, Jay Blanchard wrote: [snip] Have register globals set to ON is one way of leaving your script open to being exploitable. [/snip] Please explain this, how does it make it more exploitable? I think that this is only true if the code is sloppy. Correct, if you properly initialize your internal variables there is nothing insecure about leaving register_globals on. -Rasmus -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Re: Using register_globals
[snip] On Wed, 4 Jun 2003, Jay Blanchard wrote: [snip] Have register globals set to ON is one way of leaving your script open to being exploitable. [/snip] Please explain this, how does it make it more exploitable? I think that this is only true if the code is sloppy. Correct, if you properly initialize your internal variables there is nothing insecure about leaving register_globals on. [/snip] Then why has there been such a big deal about register_globals security? Is it because so much code is sloppy? Thanks! Jay -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Using register_globals
On Wed, 4 Jun 2003, Leif K-Brooks wrote:
It's true that register_globals being on only makes sloppy code more
insecure. Most people aren't going to write perfect code, though. It's
incredibly annoying to have to unset every variable that shouldn't be
from an outside source. Even if you do so, it's very likely that you
will forget one variable on one page. It will, of course, be the
variable allowing admins to blow up a nuclear bomb over New York. :)
It's incredibly annoying to have to initialize your variables?
This would be an example:
for($i=0;$i10;$i++) {
$str .= $i;
}
Here, since you haven't initialized $str and you are appending to it,
someone can inject something into $str via GET or POST data. To fix it,
you have to make the code:
$str = '';
for($i=0;$i10;$i++) {
$str .= $i;
}
Is that really what you find incredibly annoying? Even without
register_globals, you should be initializing your variables this way.
What if other parts of your code happened to use $str and left stuff in it
you didn't expect?
-Rasmus
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Re: Using register_globals
On Wed, 4 Jun 2003, Jay Blanchard wrote: [snip] On Wed, 4 Jun 2003, Jay Blanchard wrote: [snip] Have register globals set to ON is one way of leaving your script open to being exploitable. [/snip] Please explain this, how does it make it more exploitable? I think that this is only true if the code is sloppy. Correct, if you properly initialize your internal variables there is nothing insecure about leaving register_globals on. [/snip] Then why has there been such a big deal about register_globals security? Is it because so much code is sloppy? From a robustness perspective, it is not a bad idea to be more explicit about where your user data is coming from and being able to easily distinguish user-oriented data from internal data. What has been blown a bit out of proportion is the idea that you cannot possibly write secure code with register_globals on. That is of course completely false, but you do have to be a little bit more careful which why the default was changed to error on the side of safety. -Rasmus -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Using register_globals
On Wed, 4 Jun 2003, Jay Blanchard wrote: [snip] Have register globals set to ON is one way of leaving your script open to being exploitable. [/snip] Please explain this, how does it make it more exploitable? I think that this is only true if the code is sloppy. Correct, if you properly initialize your internal variables there is nothing insecure about leaving register_globals on. But how you know, if you have a few tausends of php code lines, which part have some sloppy code. Nobody is perfect. In my opinion you should turn register_globals to off if it's possible. It's much more secure. -Rasmus -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Using register_globals
True, it's not incredibly annoying in all cases. It is in some cases,
however. For instance,
if(user_is_authorized){
$explodenuke = 1;
}
...
if(!empty($explodenuke)){
//Explode a nuke!
}
The only reason there to initialize $explodenuke would be for security
(register_globals), and there are other cases like this. I generally
initialize variables before using them, but there's always going to be a
time when someone forgets. That shouldn't present a security hazard,
which is why I think register_globals should *always* be off.
Rasmus Lerdorf wrote:
On Wed, 4 Jun 2003, Leif K-Brooks wrote:
It's true that register_globals being on only makes sloppy code more
insecure. Most people aren't going to write perfect code, though. It's
incredibly annoying to have to unset every variable that shouldn't be
from an outside source. Even if you do so, it's very likely that you
will forget one variable on one page. It will, of course, be the
variable allowing admins to blow up a nuclear bomb over New York. :)
It's incredibly annoying to have to initialize your variables?
This would be an example:
for($i=0;$i10;$i++) {
$str .= $i;
}
Here, since you haven't initialized $str and you are appending to it,
someone can inject something into $str via GET or POST data. To fix it,
you have to make the code:
$str = '';
for($i=0;$i10;$i++) {
$str .= $i;
}
Is that really what you find incredibly annoying? Even without
register_globals, you should be initializing your variables this way.
What if other parts of your code happened to use $str and left stuff in it
you didn't expect?
-Rasmus
--
The above message is encrypted with double rot13 encoding. Any unauthorized attempt
to decrypt it will be prosecuted to the full extent of the law.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Re: Using register_globals
[snip] The only reason there to initialize $explodenuke would be for security (register_globals), and there are other cases like this. I generally initialize variables before using them, but there's always going to be a time when someone forgets. That shouldn't present a security hazard, which is why I think register_globals should *always* be off. [/snip] In the corporate environment with multiple developers we have to initialize every variable (it's a rule). We even scan code once a day for variables that have not been declared. It's part of our documentation. Jay -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Re: Using register_globals [ note on multi-developer env ]
-Original Message- From: Jay Blanchard [mailto:[EMAIL PROTECTED] In the corporate environment with multiple developers we have to initialize every variable (it's a rule). We even scan code once a day for variables that have not been declared. It's part of our documentation. Jay, is your scan something other than setting error reporting to E_ALL? A tool or script that is freely available? TIA Kirk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Re: Using register_globals [ note on multi-developer env ]
[snip] In the corporate environment with multiple developers we have to initialize every variable (it's a rule). We even scan code once a day for variables that have not been declared. It's part of our documentation. Jay, is your scan something other than setting error reporting to E_ALL? A tool or script that is freely available? [/snip] We use E_ALL, but first we wrote a PHP script that scans for all variables and compares them against the list we have documented. The new variables are given by location (which .php and line numbers). The dev team then claims the variable. If there is no other previously declared variable that fits the bill then we included it in the declared list, along with its definition (type and use). If someone just did it out of laziness or made a typo (it happens) they get to recode using the previously declared variable designated for use in this instance. The script itself is fairly straight forward and has a dependency on where you store your variables info (database, text file, etc.). You can write it pretty easily. HTH! Jay -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Using register_globals
Armand Turpel wrote: On Wed, 4 Jun 2003, Jay Blanchard wrote: [snip] Have register globals set to ON is one way of leaving your script open to being exploitable. [/snip] Please explain this, how does it make it more exploitable? I think that this is only true if the code is sloppy. Correct, if you properly initialize your internal variables there is nothing insecure about leaving register_globals on. But how you know, if you have a few tausends of php code lines, which part have some sloppy code. Nobody is perfect. In my opinion you should turn register_globals to off if it's possible. It's much more secure. I strongly disagree with that. Consider the following code (assuming $foo is 'external' variable): 1: if ($foo=='yes') transfer_money_to_me(); 2: if ($_GET['foo']=='yes']) transfer_money_to_me(); Why (2) is safer than (1)? Answer: It is *not*. As Rasmus has correctly pointed out, the usage of register_globals=off per se cannot be considered a security measure. If you don't initialize and/or check *all* user-supported variables, you're dead. It's as simple as that. Is it annoying? Maybe. Is it necessary? *yes* Anyway, IIRC the whole issue of register_globals started when some guy presented a paper named A Study in Scarlet. A whole lot of issues where presented in that paper, which in my opinion, have been blown quite out of perspective. register_globals is one of them. Oh boy, this is starting to look like an urban myth : -Hey do you know that register_globals=on is bad? - Really? -Yeah, and you know what? It allows the bad boys do vil things. -Stathis. -Rasmus -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Using register_globals
I agree that you can write secure scripts with register_globals set to ON. I usually think that alot of rookie PHP programmers (I just started PHP a year ago, myself) read the list, and the way I figure is that it is good to make readers of the list aware of the issues of register globals. Plus, after coding in both states of register globals, I personally like explictly referring to the assoc array $HTTP_xxx_VARS to retrieve the variable. Coders are familiar with magic numbers and we should stay away from that, but to me register_globals seems like magic variables I look at this variable and I think to myself Where did this variable come from? (but that's just me). Rasmus Lerdorf [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] On Wed, 4 Jun 2003, Jay Blanchard wrote: [snip] On Wed, 4 Jun 2003, Jay Blanchard wrote: [snip] Have register globals set to ON is one way of leaving your script open to being exploitable. [/snip] Please explain this, how does it make it more exploitable? I think that this is only true if the code is sloppy. Correct, if you properly initialize your internal variables there is nothing insecure about leaving register_globals on. [/snip] Then why has there been such a big deal about register_globals security? Is it because so much code is sloppy? From a robustness perspective, it is not a bad idea to be more explicit about where your user data is coming from and being able to easily distinguish user-oriented data from internal data. What has been blown a bit out of proportion is the idea that you cannot possibly write secure code with register_globals on. That is of course completely false, but you do have to be a little bit more careful which why the default was changed to error on the side of safety. -Rasmus -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Using register_globals
On Thursday 05 June 2003 01:43, Rouvas Stathis wrote:
I strongly disagree with that.
Consider the following code (assuming $foo is 'external' variable):
1: if ($foo=='yes') transfer_money_to_me();
2: if ($_GET['foo']=='yes']) transfer_money_to_me();
Why (2) is safer than (1)? Answer: It is *not*.
Consider this slightly more substantial example:
// Case 1: register_globals = on
if ($user == 'me' $password == 'correct') {
$admin = TRUE;
}
if ($admin) { list_all_members_sordid_details(); }
and
// Case 2: register_globals = off
if ($_GET['user'] == 'me' $_GET['password'] == 'correct') {
$admin = TRUE;
}
if ($admin) { list_all_members_sordid_details(); }
In case 1, a malicious person can bypass your password checks by passing
admin=1 in the URL.
As Rasmus has correctly pointed out, the usage of register_globals=off
per se cannot be considered a security measure. If you don't initialize
and/or check *all* user-supported variables, you're dead. It's as simple
as that. Is it annoying? Maybe. Is it necessary? *yes*
I tend to think of it as a safety net.
Of course the problems with case 1 could be prevented by explicitly
initialising the variables ...
if ($user == 'me' $password == 'correct') {
$admin = TRUE; }
else {
$admin = FALSE;
}
... and extra meticulous coding:
if ($admin === TRUE) { list_all_members_sordid_details(); }
Nobody's perfect, heck even MS cannot write safe code (!), so
register_globals=0 gives you a little extra breathing space.
--
Jason Wong - Gremlins Associates - www.gremlins.biz
Open Source Software Systems Integrators
* Web Design Hosting * Internet Intranet Applications Development *
--
Search the list archives before you post
http://marc.theaimsgroup.com/?l=php-general
--
/*
You can't judge a book by the way it wears its hair.
*/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Using register_globals
On Thu, 5 Jun 2003 02:10:32 +0800, Jason Wong wrote: In case 1, a malicious person can bypass your password checks by passing admin=1 in the URL. Actually, I set up a very similar user security system by taking advantage of the $PHP_AUTH_USER variable. I would check to see if the variable was set and if so, the user was an administrator and could get to additional stuff. To get apache to set the variable and pass it to me, I added a login.php and a matching .htaccess mod to force login.php to require authentication. It worked like a champ! Unfortunately, it also worked to add ?PHP_AUTH_USER=1 to the calling script. A simple change to use $_SERVER['PHP_AUTH_USER'] GREATLY enhanced the security! Can it still be hacked? Probably. Is it more secure? Absolutely! -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Using register_globals
But how you know, if you have a few tausends of php code lines, which part have some sloppy code. Nobody is perfect. In my opinion you should turn register_globals to off if it's possible. It's much more secure. Rouvas Stathis wrote: I strongly disagree with that. Consider the following code (assuming $foo is 'external' variable): 1: if ($foo=='yes') transfer_money_to_me(); 2: if ($_GET['foo']=='yes']) transfer_money_to_me(); Why (2) is safer than (1)? Answer: It is *not*. As I wrote before, I dont talking about a 3 liner, but if some developers work on a huge project. There is no reason why dont make use of the _GET[] _POST[] ... arrays and switch this register_globals to OFF -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Using register_globals
You guys should consider reading this: http://www.php.net/manual/en/security.registerglobals.php Most likely it's been updated since anyone here read it, it covers everything discussed in this thread. Regards, Philip -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Re: Using register_globals
On this topic, could anyone point me to a good tutorial on how to convert from sloppy code that assumes register_globals is on to good, secure code that assumes register_globals is off. something that covers what to look for and what to change it to would be a great help. I've been learning by working with someone else's (we bought it) code and it won't run with register_globals off and I'd like it too. it makes use of sessions (an area I'm still struggling with) and passes a lot of variables from form to form, sometimes with post and sometimes with get. any suggestions would be much appreciated. I looked at the manual and googled a lot, but can't find a plain english guide to doing it right! Thanks Tony -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Re: Using register_globals
unfortunately, it might just require someone starting at page 1, finding all the forms and the variables they pass, then find the pages they pass the variables to and changing them to the $HTTP_ method...may have to do it a form at a time -Original Message- From: Tony Crockford [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 04, 2003 4:13 PM To: [EMAIL PROTECTED] Php. Net Subject: RE: [PHP] Re: Using register_globals On this topic, could anyone point me to a good tutorial on how to convert from sloppy code that assumes register_globals is on to good, secure code that assumes register_globals is off. something that covers what to look for and what to change it to would be a great help. I've been learning by working with someone else's (we bought it) code and it won't run with register_globals off and I'd like it too. it makes use of sessions (an area I'm still struggling with) and passes a lot of variables from form to form, sometimes with post and sometimes with get. any suggestions would be much appreciated. I looked at the manual and googled a lot, but can't find a plain english guide to doing it right! Thanks Tony -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Re: Using register_globals
This is pretty straight forward. First, you really should
know where your data comes from, only you know that:
If it comes from GET, use $_GET
If it comes from POST,use $_POST
If it comes from COOKIE, use $_COOKIE
If it comes from SERVER, use $_SERVER
If it comes from ENV, use $_ENV
If it comes from SESSION, use $_SESSION
If it comes from FILES, use $_FILES
If you could care less if it comes from
GET, POST, or COOKIE and want to accept
all three as one, use $_REQUEST
What's the question? So for example:
http://www.example.com/index.php?id=42
print $_GET['id'];
print $_SERVER['PHP_SELF']
session_start();
$_SESSION['somesessionvar'] = 'avalue';
print $_SESSION['somesessionvar'];
setcookie('foo', 'bar');
print $_COOKIE['foo'];
...
Of course this doesn't make your script secure, but
you will know where the variable comes from. Related
manual pages are:
http://us2.php.net/language.variables.predefined
http://us2.php.net/language.variables.external
http://us2.php.net/security.registerglobals
And before you blindly use this arrays inside strings, be
sure to know how to do that:
http://us2.php.net/language.types.string
And remember, users are evil.
Regards,
Philip
On Wed, 4 Jun 2003, Tony Crockford wrote:
On this topic, could anyone point me to a good tutorial on how to
convert from sloppy code that assumes register_globals is on to good,
secure code that assumes register_globals is off.
something that covers what to look for and what to change it to would be
a great help.
I've been learning by working with someone else's (we bought it) code
and it won't run with register_globals off and I'd like it too.
it makes use of sessions (an area I'm still struggling with) and passes
a lot of variables from form to form, sometimes with post and sometimes
with get.
any suggestions would be much appreciated.
I looked at the manual and googled a lot, but can't find a plain english
guide to doing it right!
Thanks
Tony
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Using register_globals
On Wed, 2003-06-04 at 10:43, Rouvas Stathis wrote: Armand Turpel wrote: On Wed, 4 Jun 2003, Jay Blanchard wrote: [snip] Have register globals set to ON is one way of leaving your script open to being exploitable. [/snip] Please explain this, how does it make it more exploitable? I think that this is only true if the code is sloppy. Correct, if you properly initialize your internal variables there is nothing insecure about leaving register_globals on. But how you know, if you have a few tausends of php code lines, which part have some sloppy code. Nobody is perfect. In my opinion you should turn register_globals to off if it's possible. It's much more secure. I strongly disagree with that. Consider the following code (assuming $foo is 'external' variable): I think his point had more to do with the fact that there is some benefit to having register_globals = off in that everybody is going to screw up sometime, and with register_globals = off at least you have a bit more help when you do. From my point of view, this whole thing is being looked at the wrong way 'round. The question shouldn't be what is the advantage of register_globals = off?, but what is the advantage of register_globals = on? The answer, of course, is that there isn't any. While the advantages of 'off' have been way overblown, at least there are some. :) Torben 1: if ($foo=='yes') transfer_money_to_me(); 2: if ($_GET['foo']=='yes']) transfer_money_to_me(); Why (2) is safer than (1)? Answer: It is *not*. As Rasmus has correctly pointed out, the usage of register_globals=off per se cannot be considered a security measure. If you don't initialize and/or check *all* user-supported variables, you're dead. It's as simple as that. Is it annoying? Maybe. Is it necessary? *yes* Anyway, IIRC the whole issue of register_globals started when some guy presented a paper named A Study in Scarlet. A whole lot of issues where presented in that paper, which in my opinion, have been blown quite out of perspective. register_globals is one of them. Oh boy, this is starting to look like an urban myth : -Hey do you know that register_globals=on is bad? - Really? -Yeah, and you know what? It allows the bad boys do vil things. -Stathis. -Rasmus -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re:RE: [PHP] Re: Using register_globals
Ya!
I read the book and learned it from Programming PHP wroted by Rasmus ,page on
285,that said :
It's important to understand that PHP itself is
neither secure nor insecure. The security of your
web applications is entirely determined by the
code you write.
for example:
//initialize your variables first;
$play_mp3=false;
$play_cd=false;
$play_dvd=false;
if($my_name $my_pass $mp3)
{
$play_mp3=ture;
}
On Wed, 4 Jun 2003, Jay Blanchard wrote:
[snip]
Have register globals set to ON is one way of leaving your script open
to being exploitable.
[/snip]
Please explain this, how does it make it more exploitable? I think that
this is only true if the code is sloppy.
Correct, if you properly initialize your internal variables there is
nothing insecure about leaving register_globals on.
-Rasmus
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
---
Fongming from Taiwan.
--
¡»From: ¦¹«H¬O¥Ñ®ç¤p¹q¤l¶l¥ó1.5ª©©Òµo¥X...
http://fonn.fongming.idv.tw
[EMAIL PROTECTED]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
