RE: [PHP] register_globals & security
--- Fernando Melo <[EMAIL PROTECTED]> wrote: > I was not making an assumption. I was stating a fact. > "I get these using $_POST" > > I did NOT state that register_globals needs to be on to do what I'm > doing. If you're going to make false claims about what you previously said, you might want to snip out that part when replying. :-) > --- Fernando Melo <[EMAIL PROTECTED]> wrote: > Which ofcourse requires register_globals to be ON. Chris = My Blog http://shiflett.org/ HTTP Developer's Handbook http://httphandbook.org/ RAMP Training Courses http://www.nyphp.org/ramp -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] register_globals & security
I was not making an assumption. I was stating a fact. "I get these using $_POST" I did NOT state that register_globals needs to be on to do what I'm doing. It seems everyone else understood my query except you. Thanks to everyone who tried to help! -Original Message- From: Chris Shiflett [mailto:[EMAIL PROTECTED] Sent: 13 November 2003 17:07 To: Fernando Melo; '[EMAIL PROTECTED]' Subject: Re: [PHP] register_globals & security --- Fernando Melo <[EMAIL PROTECTED]> wrote: > I have a PHP application that passes variables (values) from a form. > I get these using $_POST > > However I do also post some variables via a link. Which ofcourse > requires register_globals to be ON. This is a common problem I see on this list. When asking a question, try not to make assumptions or attempt to answer your own question. In this case, your assumption is wrong. This does not require register_globals to be on. Get variables are in $_GET, and POST variables are in $_POST. Hope that helps. Chris = My Blog http://shiflett.org/ HTTP Developer's Handbook http://httphandbook.org/ RAMP Training Courses http://www.nyphp.org/ramp -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] register_globals & security
--- Raditha Dissanayake <[EMAIL PROTECTED]> wrote: > At the risk of starting another flame war: IMHO switching off register > globals and relying on $_POST etc can lull you into a false sense of > security. I agree, and this is more true with the safe_mode directive, which I have always thought was poorly named (although I don't have a better suggestion). Disabling register_globals is a good thing, however, and it at least forces developers to understand where their data is coming from. This is a good first step, in my opinion. Chris = My Blog http://shiflett.org/ HTTP Developer's Handbook http://httphandbook.org/ RAMP Training Courses http://www.nyphp.org/ramp -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] register_globals & security
--- Fernando Melo <[EMAIL PROTECTED]> wrote: > I have a PHP application that passes variables (values) from a form. > I get these using $_POST > > However I do also post some variables via a link. Which ofcourse > requires register_globals to be ON. This is a common problem I see on this list. When asking a question, try not to make assumptions or attempt to answer your own question. In this case, your assumption is wrong. This does not require register_globals to be on. Get variables are in $_GET, and POST variables are in $_POST. Hope that helps. Chris = My Blog http://shiflett.org/ HTTP Developer's Handbook http://httphandbook.org/ RAMP Training Courses http://www.nyphp.org/ramp -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] register_globals & security
Hi, Jay and Eugene have already made very good suggestions. To add to that you can always try filtering your variables with strip_tags(), htmlspecialchars(), addslashes() etc to protect against attacks. all the best Fernando Melo wrote: Yup I still don't see how it improves anything with regards to security. -Original Message- From: Raditha Dissanayake [mailto:[EMAIL PROTECTED] Sent: 13 November 2003 15:24 To: [EMAIL PROTECTED] Subject: Re: [PHP] register_globals & security Hi, There is also a $_REQUEST variable. At the risk of starting another flame war: IMHO switching off register globals and relying on $_POST etc can lull you into a false sense of security. Fernando Melo wrote: Thanks. I don't see how this makes it more secure though? The values are still picked up the same way from a URL -- Raditha Dissanayake. http://www.radinks.com/sftp/ | http://www.raditha.com/megaupload Lean and mean Secure FTP applet with | Mega Upload - PHP file uploader Graphical User Inteface. Just 150 KB | with progress bar. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] register_globals & security
[snip] There is also a $_REQUEST variable. At the risk of starting another flame war: IMHO switching off register globals and relying on $_POST etc can lull you into a false sense of security. [/snip] ***applause*** Bottom-lineas I just said in another threadinitialize your variables and validate them when you get them from 'outside' sources -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] register_globals & security
Yup I still don't see how it improves anything with regards to security. -Original Message- From: Raditha Dissanayake [mailto:[EMAIL PROTECTED] Sent: 13 November 2003 15:24 To: [EMAIL PROTECTED] Subject: Re: [PHP] register_globals & security Hi, There is also a $_REQUEST variable. At the risk of starting another flame war: IMHO switching off register globals and relying on $_POST etc can lull you into a false sense of security. Fernando Melo wrote: >Thanks. > >I don't see how this makes it more secure though? > >The values are still picked up the same way from a URL > >-Original Message- >From: Jon Haworth [mailto:[EMAIL PROTECTED] >Sent: 13 November 2003 13:28 >To: [EMAIL PROTECTED] >Subject: Re: [PHP] register_globals & security > >Hi Fernando, > > > >>I have a PHP application that passes variables (values) from a form. >>I get these using $_POST >> >>However I do also post some variables via a link. Which ofcourse requires >>register_globals to be ON. >> >> > >Do you mean variables in a URL, like this: >www.example.com/index.php?foo=1&bar=2 > >If so you can access these via the $_GET array and leave register_globals >turned off. > >Cheers >Jon > > > -- Raditha Dissanayake. http://www.radinks.com/sftp/ | http://www.raditha.com/megaupload Lean and mean Secure FTP applet with | Mega Upload - PHP file uploader Graphical User Inteface. Just 150 KB | with progress bar. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] register_globals & security
Hi, There is also a $_REQUEST variable. At the risk of starting another flame war: IMHO switching off register globals and relying on $_POST etc can lull you into a false sense of security. Fernando Melo wrote: Thanks. I don't see how this makes it more secure though? The values are still picked up the same way from a URL -Original Message- From: Jon Haworth [mailto:[EMAIL PROTECTED] Sent: 13 November 2003 13:28 To: [EMAIL PROTECTED] Subject: Re: [PHP] register_globals & security Hi Fernando, I have a PHP application that passes variables (values) from a form. I get these using $_POST However I do also post some variables via a link. Which ofcourse requires register_globals to be ON. Do you mean variables in a URL, like this: www.example.com/index.php?foo=1&bar=2 If so you can access these via the $_GET array and leave register_globals turned off. Cheers Jon -- Raditha Dissanayake. http://www.radinks.com/sftp/ | http://www.raditha.com/megaupload Lean and mean Secure FTP applet with | Mega Upload - PHP file uploader Graphical User Inteface. Just 150 KB | with progress bar. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] register_globals & security
On Thu, Nov 13, 2003 at 01:55:08PM +0200, Fernando Melo wrote: : Jon Haworth responded: : : Fernando Melo wrote: : : > : : > I have a PHP application that passes variables (values) from a form. : : > I get these using $_POST : : > : : > However I do also post some variables via a link. Which ofcourse : : > requires register_globals to be ON. : : : : Do you mean variables in a URL, like this: : : www.example.com/index.php?foo=1&bar=2 : : : : If so you can access these via the $_GET array and leave : : register_globals turned off. : : Thanks. : : I don't see how this makes it more secure though? : : The values are still picked up the same way from a URL If you want to prevent casual packet sniffing, you need to move your code to a SSL-enabled web server. If you want to minimize data exchange between PHP pages via POST or GET methods, consider switching to sessions. http://www.php.net/manual/en/ref.session.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] register_globals & security
Thanks. I don't see how this makes it more secure though? The values are still picked up the same way from a URL -Original Message- From: Jon Haworth [mailto:[EMAIL PROTECTED] Sent: 13 November 2003 13:28 To: [EMAIL PROTECTED] Subject: Re: [PHP] register_globals & security Hi Fernando, > I have a PHP application that passes variables (values) from a form. > I get these using $_POST > > However I do also post some variables via a link. Which ofcourse requires > register_globals to be ON. Do you mean variables in a URL, like this: www.example.com/index.php?foo=1&bar=2 If so you can access these via the $_GET array and leave register_globals turned off. Cheers Jon -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] register_globals & security
Hi Fernando, > I have a PHP application that passes variables (values) from a form. > I get these using $_POST > > However I do also post some variables via a link. Which ofcourse requires > register_globals to be ON. Do you mean variables in a URL, like this: www.example.com/index.php?foo=1&bar=2 If so you can access these via the $_GET array and leave register_globals turned off. Cheers Jon -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php