RE: [PHP] register_globals in php4

Fri, 10 May 2002 03:56:21 -0700 

> -----Original Message-----
> From: Kevin Stone [mailto:[EMAIL PROTECTED]]
> Sent: 09 May 2002 23:09
> 
> Hmm.  No offense ..., but I don't believe turning 
> Registered Globals off
> will have any effect on security.  Turning Registered Globals off just
> provides a more strict environment for coding.  Example..
> 
> If the url were http://www.dom.com/index.php?password=xuUaB67sf
> 
> <?
>     if (isset($_GET['password']))  // Registered globals off.
>     {
>         $password = $_GET['password'];
>         echo $password;
>     }
> ?>
>  .. is no more or less secure than..
> <?
>     if (isset($password))   // Registered globals on.
>     {
>         echo $password;
>     }
> ?>

No, but this:

    if (isset($password)):  // register_globals on
        $super_user = $password==$super_password;
    endif;

    if ($super_user):
        // sensitive admin stuff
    endif;

is more secure than:

    if (isset($_GET['password'])):  // register_globals off
        $super_user = $_GET['password']==$super_password;
    endif;

    if ($super_user):
        // sensitive admin stuff
    endif;

(OK, you or I wouldn't code like that, but a Web hoster may want the reassurance of 
being able to protect naive customers from this kind of mistake.)
    
Also, by using the $_POST, $_GET arrays, you know exactly where the input is coming 
from (even if register_globals is also on!).  If you have register_globals set to on, 
and you just look to see if (say) $password has a value, which you're expecting to 
come from a form field, you can't actually tell whether it's been overridden by some 
smarty-pants typing in the URL with ?password=super_password on the end.  If you check 
specifically for $_POST['password'], you at least have the assurance that it's come 
from a form field as you were expecting.

Granted, register_globals and using the $_* arrays is not the complete solution, but 
it does add a small extra layer of assurance.

Cheers!

Mike

---------------------------------------------------------------------
Mike Ford,  Electronic Information Services Adviser,
Learning Support Services, Learning & Information Services,
JG125, James Graham Building, Leeds Metropolitan University,
Beckett Park, LEEDS,  LS6 3QS,  United Kingdom
Email: [EMAIL PROTECTED]
Tel: +44 113 283 2600 extn 4730      Fax:  +44 113 283 3211 

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to