474,033 Members | 63,286 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Global Values and Security (PHPSESSID)

Thanks for the help and commentary on sessions. I had another question
or two on a related topic. I installed a newer version of php and went
in to set it to read global variables, which was originally set to
'off' when I installed it. The notes in the php.ini file said that
it's less secure to allow reading them. What kind of security risks
would be associated with this? For example, in my site, I just want to
be able to read the PHPSESSID variable so I can keep a visitor logged
in to my site (by comparing the PHPSESSID variable to the most recent
code stored in their row in the database). Although I'm not handling
any kind of monetary transactions on my site, I'd still like it to be
reasonably secure (for learning's sake if nothing else), and I was
wondering:

(1) What kinds of alternatives are there if you don't want to be able
to access global variables... in other words, how else can I pass the
information from page to page without embedding it in hidden forms or
link coding?

(2)What specific security risks are associated with using global
variables as I described above?

thanks

Jonathan
Jul 17 '05 #1
1 3590

"Jonathan" <th************ ***@yahoo.com> wrote in message
news:67******** *************** ***@posting.goo gle.com...
Thanks for the help and commentary on sessions. I had another question
or two on a related topic. I installed a newer version of php and went
in to set it to read global variables, which was originally set to
'off' when I installed it. The notes in the php.ini file said that
it's less secure to allow reading them. What kind of security risks
would be associated with this? For example, in my site, I just want to
be able to read the PHPSESSID variable so I can keep a visitor logged
in to my site (by comparing the PHPSESSID variable to the most recent
code stored in their row in the database). Although I'm not handling
any kind of monetary transactions on my site, I'd still like it to be
reasonably secure (for learning's sake if nothing else), and I was
wondering:

(1) What kinds of alternatives are there if you don't want to be able
to access global variables... in other words, how else can I pass the
information from page to page without embedding it in hidden forms or
link coding?

(2)What specific security risks are associated with using global
variables as I described above?

thanks

Jonathan


The main issue with enabling global variables is in parsing forms.
Especially
GET forms. It's possible for the user to inject his own values to variables
in
your code. For example, if in your PHP code you have a "private" variable
$username, then the crafty user could easily append "&username=fred " to
the URL. Superglobal variables take precedence over globals, so the
variable in your script would be over-written. By using this method, the
user
can inject potentially damaging values into your code directly. Especially
if
your variables are string variables used directly in database INSERT or
UPDATE queries.... All sorts of nasty things might happen...

Having register_global s on is - therefore - a bad thing. Far better to do
this:

$a_form_variabl e = !empty($_REQUES T['a_form_variabl e']) ?
$_REQUEST['a_form_variabl e'] : null;

Essentially, this checks to see if the requested form variable (you could
substitute
$_POST or $_GET for $_REQUEST) exists, and if it does, equates it to a
script
variable of the same name. If it doesn't exist it equates it to a default
value - null -
which is easy and definite to check against. Then, later in your code, you
can just
compare $a_form_variabl e to null using === or !== to see whether or not it
contains
a real value.

HTH.

Plankmeister.
Jul 17 '05 #2

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

8
6910
by: JohnS | last post by:
Hi, When I initially start my browser (any of 'm) and point it to my PHP script the $PHPSESSID is always blank. On all subsequent hits or after a refresh the value for $PHPSESSID is fine... why do I have to complete a php file before the $PHPSESSID is set? I tried to do session_start() before anything still blank, what did I miss? (Aix 4.3.3, php 4.2.1,Apache 1.13.26)
4
8280
by: Arnaud | last post by:
Hi ! I would like to propagate data between php pages, in two cases : the pages are read by : 1- Internet Explorer It's ok, data are writen in one page, and read from another. I don't use PHPSESSID 2- from a mobile browser ( mobile i-Mode phone Nec22) After several tests, I understod it's impossible, because the session system tries to write a cookie on the browser...
0
1727
by: Alex Shi | last post by:
Hi, I don't know how php process its session. I just noticed that for the first time a web site is loaded php will insert a PHPSESSID through out the page: it attach this id to links, insert hidden field into form, and even attach the id onto form button if the button is an image. Here are samples what it did: <a href="http://link?PHPSESSID=e2b49283217665659a856cd939f10881>
7
7051
by: windandwaves | last post by:
Dear Gurus Is it correct that you do not have to pass the PHPSESSID in the header in order to keep a session going. What are the advantages/disadvantages of having the PHPSESSID in the header e..g. http://www.myurl.com/index.php?PHPSESSID=...... Thank you
2
7770
by: frizzle | last post by:
Hi there I have a site in which all pages ARE php-pages, but they're called/manipulated with htaccess. All files appear as a html-file to surfers. Sometimes i get the PHPSESSID declared in the url. I want to avoid this from caching in the browsers history. is there a way to detect if PHPSESSID is set, and if
3
8130
by: Dalan | last post by:
I need some assistance or advise in composing code for a global function module or a related one for populating values in text boxes on reports and forms with a name, actually several different names. There are over 50 fields in the database requiring name updates and I need to do this several times. And I don't want to use a table/form to perform this task. Here is a bit more information. Yes, I have done the changing of the values in...
7
2938
by: Adam | last post by:
Im trying to add an httphandler for all *.sgf file extensions. I have developed the handler, 1. installed it into the gac 2. added it to the machine.config: <httpHandlers> <add verb="*" path="*.sgf" type="CustomExtensionHandler, Extenders.CustomExtensionHandler, Version=1.0.0.0, Culture=neutral, PublicKeyToken=d831d925597c1031" validate="True"/> </httpHandlers>
3
13853
by: Stephen Kay | last post by:
Sorry fi this is a stupid question - I come from a c/c++ background, and the global variables in php aren't making sense to me. If I want to declare a global variable, say in a global.php file, and have it initialized to a certian value once, can that be done? Example: // in global.php $myvar = 25;
29
4904
by: CAH | last post by:
Hi Can you avoid that googlebot indexes PHPSESSID pages? Googlebot is indexing pages with PHPSESSID, which makes it think my page has a infinite number of pages. How can one avoid this? Here is an exsample of url that google register, that might make is more clear what is happening www.winches.dk/winches.php?artnr=500735&PHPSESSID=d22126f0d46334659ff...
0
11583
jinu1996
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...
1
11955
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
0
11116
tracyyun
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
0
10276
agi2029
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own.... Now, this would greatly impact the work of software developers. The idea...
0
6623
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
0
6791
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
1
5381
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
2
4918
muto222
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.
3
3942
bsmnconsultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.