RE: [PHP] Why is it dangerous to have register_globals on?
Francois Legare [EMAIL PROTECTED] -Original Message- From: Rasmus Lerdorf [mailto:[EMAIL PROTECTED]] Sent: April 23, 2001 9:30 PM To: Plutarck Cc: [EMAIL PROTECTED] Subject: Re: [PHP] Why is it dangerous to have register_globals on? Never never never trust user-supplied data implicitly. Always check anything that could possibly come from the user. For internal variables, always initialize them and just generally think things through as you write your scripts. This is no different in PHP than in any other scripting language used for web work. -Rasmus Hi Rasmus, can you, or anyone else, give more examples to help me understand what you mean by generally think things through or give pointer(s) on the web where this topic is being discussed and plenty of examples are given. Actually, any advices, tips and tricks on how to code securely and how to make sure user-supplied data are never implicitly trusted would be more than welcomed. thanks -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Why is it dangerous to have register_globals on?
On Monday 23 April 2001 11:56, Greig, Euan wrote: I have read in several places that is dangerous to have register_globals on, but I have not understood the (short) explanations given. Can anyone enlighten me? keep it a rule to either unset any variable that you use or set them with a default value. how awfully nice register_globals is, I've started to be more aware and use of HTTP_POST_VARS and HTTP_GET_VARS in case someone get a wild idea to abuse some of my products. they might get some dangerous stuff, I can't imagine their fantasy so I just let them have as little chance as possible :) -- php developer / CoreTrek AS| TV is chewing gum for the eyes. -- Sandnes / Rogaland / Norway| Frank Lloyd Wright web: http://www.moijk.net/ | -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Why is it dangerous to have register_globals on?
Now I understand! I hadn't twigged to the danger of _internal_ variables
getting overwritten by bogus get/post variables.
Thanks to you all.
Euan
Rasmus Lerdorf [EMAIL PROTECTED] wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
Actually it's not dangerous per se.
However if can be very dangerous if you aren't being careful in your
code,
for instance, consider this.
Let's say I've conditionally set $sql somewhere else in the code based
upon
certain conditions, which works fine. But let's say those conditions
aren't
met so $sql doesn't get set to anything since it's not really used. Now
consider this code:
if ($sql)
{
$result = mysql_query($sql);
}
Now that would be fine for all normal instances. But now what if someone
appends this onto the end of your url:
?query=
...plus something like DROP databasename. It doesn't take too much
imagination to see what kind of things could happen if someone just had
a
little bit of knowledge about how your code works.
Thus you have two options. One is of course to turn register_globals
off,
but ALWAYS ALWAYS _ALWAYS_ set a default for every variable you refer to
in
your script at some point before doing anything with it. So if you use
$sql
be 100% sure that it has been set $sql explicitly in your code before
doing
anything with it.
Whether you turn register_globals off or not, you need to always watch
cases like this. I have seen many people say that register_globals is
inherently insecure and then they turn it off and go through and use
something like $HTTP_POST_VARS['sql'] everywhere they used to use $sql.
This only makes it slightly more tedious to inject bogus variables into
since the attacker now needs to make a trivial little form to inject stuff
into the POST data instead of just sticking it onto the URL.
Security-wise there is no difference whatsoever.
Never never never trust user-supplied data implicitly. Always check
anything that could possibly come from the user. For internal variables,
always initialize them and just generally think things through as you
write your scripts. This is no different in PHP than in any other
scripting language used for web work.
-Rasmus
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP] Why is it dangerous to have register_globals on?
I have read in several places that is dangerous to have register_globals on, but I have not understood the (short) explanations given. Can anyone enlighten me? Euan Greig Technical Consultant BRANN DATA [EMAIL PROTECTED] 01285 645997 ** Any opinions expressed in this email are those of the individual and not necessarily the Company. This email and any files transmitted with it, including replies and forwarded copies (which may contain alterations) subsequently transmitted from the Company, are confidential and solely for the use of the intended recipient. If you are not the intended recipient or the person responsible for delivering to the intended recipient, be advised that you have received this email in error and that any use is strictly prohibited. ** -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Why is it dangerous to have register_globals on?
Actually it's not dangerous per se.
However if can be very dangerous if you aren't being careful in your code,
for instance, consider this.
Let's say I've conditionally set $sql somewhere else in the code based upon
certain conditions, which works fine. But let's say those conditions aren't
met so $sql doesn't get set to anything since it's not really used. Now
consider this code:
if ($sql)
{
$result = mysql_query($sql);
}
Now that would be fine for all normal instances. But now what if someone
appends this onto the end of your url:
?query=
...plus something like DROP databasename. It doesn't take too much
imagination to see what kind of things could happen if someone just had a
little bit of knowledge about how your code works.
Thus you have two options. One is of course to turn register_globals off,
but ALWAYS ALWAYS _ALWAYS_ set a default for every variable you refer to in
your script at some point before doing anything with it. So if you use $sql
be 100% sure that it has been set $sql explicitly in your code before doing
anything with it.
--
Plutarck
Should be working on something...
...but forgot what it was.
Greig, Euan [EMAIL PROTECTED] wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
I have read in several places that is dangerous to have register_globals
on, but I have not understood the (short) explanations given. Can anyone
enlighten me?
Euan Greig
Technical Consultant
BRANN DATA
[EMAIL PROTECTED]
01285 645997
**
Any opinions expressed in this email are those of the individual and
not necessarily the Company. This email and any files transmitted with
it, including replies and forwarded copies (which may contain alterations)
subsequently transmitted from the Company, are confidential and solely for
the use of the intended recipient. If you are not the intended recipient
or the person responsible for delivering to the intended recipient, be
advised that you have received this email in error and that any use is
strictly prohibited.
**
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Why is it dangerous to have register_globals on?
Actually it's not dangerous per se.
However if can be very dangerous if you aren't being careful in your code,
for instance, consider this.
Let's say I've conditionally set $sql somewhere else in the code based upon
certain conditions, which works fine. But let's say those conditions aren't
met so $sql doesn't get set to anything since it's not really used. Now
consider this code:
if ($sql)
{
$result = mysql_query($sql);
}
Now that would be fine for all normal instances. But now what if someone
appends this onto the end of your url:
?query=
...plus something like DROP databasename. It doesn't take too much
imagination to see what kind of things could happen if someone just had a
little bit of knowledge about how your code works.
Thus you have two options. One is of course to turn register_globals off,
but ALWAYS ALWAYS _ALWAYS_ set a default for every variable you refer to in
your script at some point before doing anything with it. So if you use $sql
be 100% sure that it has been set $sql explicitly in your code before doing
anything with it.
Whether you turn register_globals off or not, you need to always watch
cases like this. I have seen many people say that register_globals is
inherently insecure and then they turn it off and go through and use
something like $HTTP_POST_VARS['sql'] everywhere they used to use $sql.
This only makes it slightly more tedious to inject bogus variables into
since the attacker now needs to make a trivial little form to inject stuff
into the POST data instead of just sticking it onto the URL.
Security-wise there is no difference whatsoever.
Never never never trust user-supplied data implicitly. Always check
anything that could possibly come from the user. For internal variables,
always initialize them and just generally think things through as you
write your scripts. This is no different in PHP than in any other
scripting language used for web work.
-Rasmus
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
