I understand that register_global s was turned off by default as, unless
you initialised it, it could be altered by a malicious coder.
What I don't understand is how the $_POST['foo'] form is any more
secure. Surely Mr Malicious Coder can still just send his own version
of $_POST['foo']?
Obviously I'm missing something, I just can't figure out what!
+mrcakey 8 1795
On 24 Oct, 11:57, +mrcakey <mrca...@nospam .nospamwrote:
I understand that register_global s was turned off by default as, unless
you initialised it, it could be altered by a malicious coder.
What I don't understand is how the $_POST['foo'] form is any more
secure. Surely Mr Malicious Coder can still just send his own version
of $_POST['foo']?
Obviously I'm missing something, I just can't figure out what!
+mrcakey
On its own, it probably isn't a big problem - its how it interacts
with the rest of the code e.g.:
<?php
require_once("a rray_of_admin_u sers.inc.php");
if (in_array($admi n_users, $_SESSION['user'])) {
$admin_user=tru e;
}
if ($admin_user) { ...
What happens when a non-admin users connects using http://example.com/transfer_funds.php?admin_user=1 ?
See also http://pear.reversefold.com/dokuwiki...er_globals_bad
C.
"C. (http://symcbean.blogsp ot.com/)" <co************ @gmail.comwrote in
message news:11******** *************@e 9g2000prf.googl egroups.com...
On 24 Oct, 11:57, +mrcakey <mrca...@nospam .nospamwrote:
>I understand that register_global s was turned off by default as, unless you initialised it, it could be altered by a malicious coder.
What I don't understand is how the $_POST['foo'] form is any more secure. Surely Mr Malicious Coder can still just send his own version of $_POST['foo']?
Obviously I'm missing something, I just can't figure out what!
+mrcakey
On its own, it probably isn't a big problem - its how it interacts
with the rest of the code e.g.:
<?php
require_once("a rray_of_admin_u sers.inc.php");
if (in_array($admi n_users, $_SESSION['user'])) {
$admin_user=tru e;
}
if ($admin_user) { ...
based on that code, nothing.
Greetings, +mrcakey.
In reply to Your message dated Wednesday, October 24, 2007, 14:57:09,
mI understand that register_global s was turned off by default as, unless
myou initialised it, it could be altered by a malicious coder.
mWhat I don't understand is how the $_POST['foo'] form is any more
msecure.
It is more secure, than $foo. For sure.
mSurely Mr Malicious Coder can still just send his own version
mof $_POST['foo']?
Yep, but You can't accidentally fetch it by using $foo somewhere in Your
script.
You should call $_POST['foo'] explicitly to deal with user input.
mObviously I'm missing something, I just can't figure out what!
Hope I've explained it enough to give You a point.
--
Sincerely Yours, AnrDaemon <an*******@free mail.ru>
AnrDaemon wrote:
Greetings, +mrcakey.
In reply to Your message dated Wednesday, October 24, 2007, 14:57:09,
mI understand that register_global s was turned off by default as, unless
myou initialised it, it could be altered by a malicious coder.
mWhat I don't understand is how the $_POST['foo'] form is any more
msecure.
It is more secure, than $foo. For sure.
mSurely Mr Malicious Coder can still just send his own version
mof $_POST['foo']?
Yep, but You can't accidentally fetch it by using $foo somewhere in Your
script.
You should call $_POST['foo'] explicitly to deal with user input.
mObviously I'm missing something, I just can't figure out what!
Hope I've explained it enough to give You a point.
Essentially then register_global s exposes ALL your variables to attack
from outside rather than just those you're fetching explicitly from
$_GET, $_POST etc. I understand now. Thanks to all who replied.
+mrcakey
On Oct 31, 9:36 am, +mrcakey <mrca...@nospam .nospamwrote:
Essentially then register_global s exposes ALL your variables to attack
from outside rather than just those you're fetching explicitly from
$_GET, $_POST etc. I understand now. Thanks to all who replied.
+mrcakey
Note: If you can't be sure your code is going to be always in a
globals off environment, it is recommended all variables used in the
script are initialized early on in the script (even the empty ones).
Also one gotcha with globals on is if you do $foo = $_POST['foo'];
don't initialize $foo until you've made sure $_POST['foo'] is empty.
On Oct 24, 3:57 am, +mrcakey <mrca...@nospam .nospamwrote:
>
I understand that register_global s was turned off by default
as, unless you initialised it, it could be altered by a
malicious coder.
What I don't understand is how the $_POST['foo'] form is any
more secure. Surely Mr Malicious Coder can still just send
his own version of $_POST['foo']?
Obviously I'm missing something, I just can't figure out what!
What you are missing is a realization that with register_global s = On,
the malicious coder can initialize ANY variable, regardless of whether
the script expects to receive it via CGI.
Let's say, you have something like this:
// Tons of code here...
// The script processes incoming data and, depending on the
// program flow, may or may not initialize the $bar variable.
if (isset($bar)) {
$result = mysql_query("DE LETE FROM the_table WHERE bar='$bar'");
}
// Tons of code here too...
Now let's say that register_global s = On and malicious coder
submitted
$_REQUEST['bar'] = '%'. The server receives it and initializes $bar =
'%'. If $bar is not changed elsewhere, the script issues the
following MySQL query:
DELETE FROM the_table WHERE bar='%'
meaning, delete all records from the_table.
Granted, the above example is not a good coding practice, but with
register_global s = Off it is still safe (the malicious user cannot
initialize $bar and thus alter the program flow), while with
register_global s = On it is a security risk.
Cheers,
NC
>DELETE FROM the_table WHERE bar='%'
> meaning, delete all records from the_table.
No, that's not what it means.
DELETE FROM the_table WHERE bar LIKE '%'
means delete all records from the_table. The first query means delete
all records where bar is of length one and contains a single percent sign.
Lesson here: use = instead of LIKE unless you actually *need*
pattern-matching. Also, turn off register_global s.
On Oct 31, 6:44 pm, gordonb.kw...@b urditt.org (Gordon Burditt) wrote:
>
DELETE FROM the_table WHERE bar='%'
meaning, delete all records from the_table.
No, that's not what it means.
DELETE FROM the_table WHERE bar LIKE '%'
means delete all records from the_table. The first query
means delete all records where bar is of length one and
contains a single percent sign.
You're right, of course. I just wanted a simple illustration, so I
misinterpreted the meaning of the SQL query to make a point. In the
real world, the attacker would use something like:
$_REQUEST['bar'] = "' OR bar LIKE '%"
Cheers,
NC This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics |
by: Frank |
last post by:
Whats best :
register_globals ON ?
OR
register_globals OFF ?
I currently use:
$_POST
|
by: Useko Netsumi |
last post by:
That is the question.
Perhaps some of the guru can tell us why is this such a big deal. In fact,
with the register_globals=On makes things easiers - Most of the old
code/example/tutorial will run.
|
by: John |
last post by:
Hello.
I am a newbie to PHP. I am over halfway through my first book that
I'm learning with and have just created login pages etc.
I just wondered, if I am running php/mysql/apache locally, should I be
okay to turn register_globals on without any security issues?
Thanks
|
by: wonder |
last post by:
Hi,
The CRM application said that need to add an option
"REGISTER_GLOBALS=On" to the php.ini file, so I did what it told.
But I still can't get rid off the following error:
The PHP variable "REGISTER_GLOBALS" is disabled (0). This is fatal.
Edit your php.ini and set REGISTER_GLOBALS to "On".
I changed the value "On" to "Yes", still getting the same error.
|
by: lian |
last post by:
Hi all,
I have installed a web-based software written in php which needs
that i should turn "register_globals" from off to on in the php.ini.
There are some comments for register_globals in php.ini saying: "You
should do your best to write your scripts so that they do not require
register_globals to be on; Using form variables as globals can easily
lead to possible security problems, if the code is not very well thought
of."
| |
by: Phil Latio |
last post by:
I am newish to PHP and wish to create an authentication system where a new
user is required to validate/complete their sign-up by clicking a link in an
email.
I am probably capable of putting something together where the user gets sent
a link with a set of values but I am sure it would require
"register_globals" set to ON.
How is this achieved with "register_globals" set to OFF?
|
by: lkrubner |
last post by:
If I set a variable at the top of my code like this:
$name = "Lawrence";
It is now a global variable.
If, later on, in a function, I want to do this:
function uppercaseName() {
global $name;
|
by: news |
last post by:
You'd think it'd be easier to find the answer to this question.
Did a search, and all I can find is people asking why something's not
working and people replying it's because register_globals is off.
I found one person said: "The change is for the better since
register_global turned to on had some grim security implications." but
no mentioning of what those are!
I'm working on a server now, with a couple hundred PHP pages someone
has...
|
by: Dave |
last post by:
In PHP 4.4, what is the most secure server configuration while keeping
REGISTER_GLOBALS on?
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look !
Part I. Meaning of...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
| |
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
|
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |