Re: Re: Session variables not unsetting

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Monday 06 December 2004 22:50, steve wrote:

> Yeah - as I mentioned in the original post, all my pages start with that.
> I'm a little PO'd about the change to register_globals on. Alas, trying to
> switch it off in an .htaccess file causes a 500 error. That said, I never
> use variables passed by $_POST or $_GET without validating and all
> variables on the page are always initialised so I'm hoping the security
> exposure is minimal.

With register_globals enabled, the problem is not with the $_POST, $_GET etc 
variables (although yes you should always validate data when they come from 
untrusted sources). The problem is that malicious users can pollute your 
namespace and if you do not initialise variables properly before using them 
your application can be compromised.

For example, you have a flag ($admin) which you set to 1 if the person logged 
in has admin privileges. If you don't initialise $admin and only do something 
like ...

  if ($user == 'admin' AND $password == 'password') {
    $admin = 1;
  }
  // later in your code
  if ($admin == 1) { 
    echo "Hello admin";
  } else {
    die ("Go away");
  }

... it is all too easy for a malicious person to access your protected page 
like so:

  http://www.example.com/admin-page.php?admin=1

and they would have admin privileges.

If you had initialised $admin to some known, safe value before using it then 
you have no problems.

So either of these would be fine:

  $admin = 0;
  if ($user == 'admin' AND $password == 'password') {
    $admin = 1;
  }
  // or
  if ($user == 'admin' AND $password == 'password') {
    $admin = 1;
  } else {
    $admin = 0;
  }

-- 
Jason Wong -> Gremlins Associates -> www.gremlins.biz
Open Source Software Systems Integrators
* Web Design & Hosting * Internet & Intranet Applications Development *
------------------------------------------
Search the list archives before you post
http://marc.theaimsgroup.com/?l=php-general
------------------------------------------
/*
Youth is a blunder, manhood a struggle, old age a regret.
  -- Benjamin Disraeli, "Coningsby"
le, 
*/

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux