Register globals essentially takes the value of $_SESSION['foo'] and creates
$foo. It does the same thing for GET, POST, COOKIES, etc.
The problem here is that you have no way of telling if $foo was a POST
variable, GET, SESSION, or whatever. So, I can choose to append ?admin=1 to
one of your URLs, and if you do not do any checking or variable
initialising, it might be possible for me to fake myself as a user with
admin clearance, or anything else that would be considered a risk.
The super global arrays like $_SESSION exist, and can be used, regardless of
whether register globals is on or off. If you start relying on
$_SESSION['foo'] rather than $foo, $_POST['bah'] instead of $bah and
$_GET['xyz'] instead of $xyz, you've made a great start.
You should be able to use $_SESSION right now, but be aware that the manual
says if you choose to use $_SESSION, then you should stop using functions
such as session_register().
The next logical step would be to manually turn off register globals for
your site, using a directory-level .htaccess file in your document root. An
example of this file would be:
---
<IfModule mod_php4.c>
php_flag register_globals off
</IfModule>
---
Do a whole bunch of testing on your LAN, make any changes you need to make
to your code, perhaps turn the error reporting to the highest level (E_ALL)
to see what warnings you get, then try the same on your live server.
Justin
on 29/05/03 3:18 AM, Pushpinder Singh Garcha ([EMAIL PROTECTED]) wrote:
> SInce register_globals() is ON on my server, I need to be able to
> figure out a way to ensure session security.
> Another question I had was that, with register_globals() ON can I
> still use the $_SESSION to set my variables ? I want to avoid recoding
> the entire application, so I want to see what can be done to enhance
> security with the current setup.
>
> Does the super-global array approach i.e. $_SESSION work, irrespective
> of the fact that REGISTER_GLOBALS is ON / OFF ?
> If I start setting session variables in the $_SESSION array from now
> on, will it improve the security of the session. I am a newbie in PHP
> session handling and am sorry if any of the above questions sound
> extremely lame.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
