"Jonathan" <th***************@yahoo.com> wrote in message
news:67**************************@posting.google.c om...
Thanks for the help and commentary on sessions. I had another question
or two on a related topic. I installed a newer version of php and went
in to set it to read global variables, which was originally set to
'off' when I installed it. The notes in the php.ini file said that
it's less secure to allow reading them. What kind of security risks
would be associated with this? For example, in my site, I just want to
be able to read the PHPSESSID variable so I can keep a visitor logged
in to my site (by comparing the PHPSESSID variable to the most recent
code stored in their row in the database). Although I'm not handling
any kind of monetary transactions on my site, I'd still like it to be
reasonably secure (for learning's sake if nothing else), and I was
wondering:
(1) What kinds of alternatives are there if you don't want to be able
to access global variables... in other words, how else can I pass the
information from page to page without embedding it in hidden forms or
link coding?
(2)What specific security risks are associated with using global
variables as I described above?
thanks
Jonathan
The main issue with enabling global variables is in parsing forms.
Especially
GET forms. It's possible for the user to inject his own values to variables
in
your code. For example, if in your PHP code you have a "private" variable
$username, then the crafty user could easily append "&username=fred" to
the URL. Superglobal variables take precedence over globals, so the
variable in your script would be over-written. By using this method, the
user
can inject potentially damaging values into your code directly. Especially
if
your variables are string variables used directly in database INSERT or
UPDATE queries.... All sorts of nasty things might happen...
Having register_globals on is - therefore - a bad thing. Far better to do
this:
$a_form_variable = !empty($_REQUEST['a_form_variable']) ?
$_REQUEST['a_form_variable'] : null;
Essentially, this checks to see if the requested form variable (you could
substitute
$_POST or $_GET for $_REQUEST) exists, and if it does, equates it to a
script
variable of the same name. If it doesn't exist it equates it to a default
value - null -
which is easy and definite to check against. Then, later in your code, you
can just
compare $a_form_variable to null using === or !== to see whether or not it
contains
a real value.
HTH.
Plankmeister.
