On 01/08/2014 12:35 AM, Eric Chadbourne wrote:
What do you mean by variables being public to the internet? Nobody
can directly access them from what I understand. Sanitize in and out
you should be fine no?
I don't remember the details, and I only just glanced at php, a long
time ago.
Googling about a bit I think it might have been something like the
problem described here
http://www.dagondesign.com/articles/writing-secure-php-scripts-part-1/
Securing your variables
In most versions of PHP, you can access the value of a variable before
it is initialized. Consider this simple example:
if ($password == $the_password) {
$logged_in = 1;
}
if ($logged_in == 1) {
// secure stuff
}
All a visitor has to do is add *?logged_in=1* to the end of the URL
and they will have access. While this may seem obvious, it is an
extremely common problem with PHP scripts.
The best way to prevent this is to always make sure variables are
declared before they are used. For this example, you can just add the
following line at the top of the file:
$logged_in = 0;
Now the variable cannot be reset by a user since it is being declared
before use.
In other words, the easiest way to use a variable in php is to just
start using it, no declaration required, and as far as php is concerned,
whether you initialize it is up to you. But from a security perspective
the two cases are very different.
This might have changed since then, too.
I might have had other gripes, but it is possible I saw this and said:
what a dangerous language and moved on.
-kb
_______________________________________________
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss
