Re: [PHP] 4.2.1 Vars
With register_globals OFF in your php.ini file, all of the user input is present in the _GET, _POST, _REQUEST, or _COOKIE array. With register_globals ON, then the variables are registered as regular variables. If you have a URL like page.php?id=1, then with them OFF, you have to use $_GET[id] to get the value of one, with them ON, you can just use $id. Just to be clear, $_GET['id'] will work fine with register_globals on or off. In otherwords, these php predefined variables will exist either way. Just like the older non-super ones, such as $HTTP_GET_VARS. Regards, Philip Olson -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] 4.2.1 Vars
After moving to php 4.2.1 my scripts that use xxx.php?blah=4 fail to work. I know that i need to turn register_globals on in my config, however I know that there are security problems with this. So bascially I need to know how to make 500+ scripts work without editing a bunch of files to make it so that all my get and post vars start with $_POST and $_GET any ideas? ~kurth Kurth Bemis - Network/Systems Administrator, USAExpress.net/Ozone Computer Security is like an arms race; the best attackers will continue to search for more complicated exploits, so we will too. Quoted from http://www.openbsd.org/security.html [EMAIL PROTECTED] | http://kurth.hardcrypto.com PGP key available - http://kurth.hardcrypto.com/pgp Fight Weak Encryption! Donate your wasted CPU cycles to Distributed.net (http://www.distributed.net) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] 4.2.1 Vars
For now you can add this to the top of your scripts:
$types_to_register = array('GET','POST','COOKIE','SESSION','SERVER');
foreach ($types_to_register as $type) {
$arr = @${'HTTP_' . $type . '_VARS'};
if (@count($arr) 0) {
extract($arr, EXTR_OVERWRITE);
}
}
Somebody else posted this a few weeks back and it has worked for me until I
can convert everything over...
Jeff
- Original Message -
From: Kurth Bemis (List Monkey) [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Saturday, May 25, 2002 3:23 PM
Subject: [PHP] 4.2.1 Vars
After moving to php 4.2.1 my scripts that use xxx.php?blah=4 fail to work.
I know that i need to turn register_globals on in my config, however I
know
that there are security problems with this. So bascially I need to know
how to make 500+ scripts work without editing a bunch of files to make it
so that all my get and post vars start with $_POST and $_GET
any ideas?
~kurth
Kurth Bemis - Network/Systems Administrator, USAExpress.net/Ozone Computer
Security is like an arms race; the best attackers will continue to search
for more complicated exploits, so we will too.
Quoted from http://www.openbsd.org/security.html
[EMAIL PROTECTED] | http://kurth.hardcrypto.com
PGP key available - http://kurth.hardcrypto.com/pgp
Fight Weak Encryption! Donate your wasted CPU cycles to Distributed.net
(http://www.distributed.net)
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] 4.2.1 Vars
Do you know what the security problems are? Do you realise that having register_globals on or off isn't the security problem, it's how you write your code? If you're not going to change any of your code, just turn on register_globals. Changing your code to _POST or _GET and doing nothing else isn't making it any more secure that using it the way it is with register_globals on. ---John Holmes... - Original Message - From: Kurth Bemis (List Monkey) [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, May 25, 2002 3:23 PM Subject: [PHP] 4.2.1 Vars After moving to php 4.2.1 my scripts that use xxx.php?blah=4 fail to work. I know that i need to turn register_globals on in my config, however I know that there are security problems with this. So bascially I need to know how to make 500+ scripts work without editing a bunch of files to make it so that all my get and post vars start with $_POST and $_GET any ideas? ~kurth Kurth Bemis - Network/Systems Administrator, USAExpress.net/Ozone Computer Security is like an arms race; the best attackers will continue to search for more complicated exploits, so we will too. Quoted from http://www.openbsd.org/security.html [EMAIL PROTECTED] | http://kurth.hardcrypto.com PGP key available - http://kurth.hardcrypto.com/pgp Fight Weak Encryption! Donate your wasted CPU cycles to Distributed.net (http://www.distributed.net) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] 4.2.1 Vars
At 04:00 PM 5/25/2002 -0400, 1LT John W. Holmes wrote: Actually - i don't understand what the docs at PHP are talking about. care to enlighten me? ~kurth Do you know what the security problems are? Do you realise that having register_globals on or off isn't the security problem, it's how you write your code? If you're not going to change any of your code, just turn on register_globals. Changing your code to _POST or _GET and doing nothing else isn't making it any more secure that using it the way it is with register_globals on. ---John Holmes... - Original Message - From: Kurth Bemis (List Monkey) [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, May 25, 2002 3:23 PM Subject: [PHP] 4.2.1 Vars After moving to php 4.2.1 my scripts that use xxx.php?blah=4 fail to work. I know that i need to turn register_globals on in my config, however I know that there are security problems with this. So bascially I need to know how to make 500+ scripts work without editing a bunch of files to make it so that all my get and post vars start with $_POST and $_GET any ideas? ~kurth Kurth Bemis - Network/Systems Administrator, USAExpress.net/Ozone Computer Security is like an arms race; the best attackers will continue to search for more complicated exploits, so we will too. Quoted from http://www.openbsd.org/security.html [EMAIL PROTECTED] | http://kurth.hardcrypto.com PGP key available - http://kurth.hardcrypto.com/pgp Fight Weak Encryption! Donate your wasted CPU cycles to Distributed.net (http://www.distributed.net) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Kurth Bemis - Network/Systems Administrator, USAExpress.net/Ozone Computer Jedi Business, Go back to your drinks - Anakin Skywalker, AOTC [EMAIL PROTECTED] | http://kurth.hardcrypto.com PGP key available - http://kurth.hardcrypto.com/pgp -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] 4.2.1 Vars
Sure. The idea you have to understand is that nothing from the user can be
trusted. When you are expecting a number and they enter a letter, it may
mess things up and you have to be prepared for that.
With register_globals OFF in your php.ini file, all of the user input is
present in the _GET, _POST, _REQUEST, or _COOKIE array. With
register_globals ON, then the variables are registered as regular variables.
If you have a URL like page.php?id=1, then with them OFF, you have to use
$_GET[id] to get the value of one, with them ON, you can just use $id.
Neither one is better than the other b/c the user can still just alter the
URL and send a different value. The same is true for cookie and post data,
the user can easily alter that and send whatever kind of data they want. You
have to make sure it's what you think it will be.
One example is say you do a database call to check a username and password.
If they are good, you set an $Authorized variable to 'YES'. Further in the
page, you do if($Authorized == 'YES') { show_good_stuff(); }. Now, with
register_globals ON, the user can easily type in a url like
page.php?Authorized=YES and they are in whether the query passes or not.
With register_globals OFF, the user cannot create a $Authorized variable. If
they try to pass it in the URL, it'll become $_GET[Authorized], not
$Authorized. Now, this doesn't mean that ON or OFF is better than the other,
it's how you program. You can easily leave register_globals ON and just make
sure you set a value for $Authorized in your script (don't assume it's
value), like before you ever check the username and password, say
$Authorized = FALSE; That way even if the user tries to alter the URL, you
just set it to false regardless, and you're script will be fine.
Hopefully that is clear. If you have any questions let me know. There are
plenty of articles written about this, do a search on google for some or
search the archives. The thing to remember is not to trust any user input
and make sure you know where your variables are coming from.
---John Holmes...
- Original Message -
From: Kurth Bemis (List Monkey) [EMAIL PROTECTED]
To: 1LT John W. Holmes [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Saturday, May 25, 2002 4:07 PM
Subject: Re: [PHP] 4.2.1 Vars
At 04:00 PM 5/25/2002 -0400, 1LT John W. Holmes wrote:
Actually - i don't understand what the docs at PHP are talking about.
care
to enlighten me?
~kurth
Do you know what the security problems are? Do you realise that having
register_globals on or off isn't the security problem, it's how you write
your code? If you're not going to change any of your code, just turn on
register_globals. Changing your code to _POST or _GET and doing nothing
else
isn't making it any more secure that using it the way it is with
register_globals on.
---John Holmes...
- Original Message -
From: Kurth Bemis (List Monkey) [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Saturday, May 25, 2002 3:23 PM
Subject: [PHP] 4.2.1 Vars
After moving to php 4.2.1 my scripts that use xxx.php?blah=4 fail to
work.
I know that i need to turn register_globals on in my config, however I
know
that there are security problems with this. So bascially I need to
know
how to make 500+ scripts work without editing a bunch of files to make
it
so that all my get and post vars start with $_POST and $_GET
any ideas?
~kurth
Kurth Bemis - Network/Systems Administrator, USAExpress.net/Ozone
Computer
Security is like an arms race; the best attackers will continue to
search
for more complicated exploits, so we will too.
Quoted from http://www.openbsd.org/security.html
[EMAIL PROTECTED] | http://kurth.hardcrypto.com
PGP key available - http://kurth.hardcrypto.com/pgp
Fight Weak Encryption! Donate your wasted CPU cycles to
Distributed.net
(http://www.distributed.net)
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Kurth Bemis - Network/Systems Administrator, USAExpress.net/Ozone Computer
Jedi Business, Go back to your drinks - Anakin Skywalker, AOTC
[EMAIL PROTECTED] | http://kurth.hardcrypto.com
PGP key available - http://kurth.hardcrypto.com/pgp
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
