> Actually it's not "dangerous" per se.
>
> However if can be very dangerous if you aren't being careful in your code,
> for instance, consider this.
>
> Let's say I've conditionally set $sql somewhere else in the code based upon
> certain conditions, which works fine. But let's say those conditions aren't
> met so $sql doesn't get set to anything since it's not really used. Now
> consider this code:
>
> if ($sql)
> {
> $result = mysql_query($sql);
> }
>
> Now that would be fine for all normal instances. But now what if someone
> appends this onto the end of your url:
>
> ?query=
>
> ...plus something like "DROP databasename". It doesn't take too much
> imagination to see what kind of things could happen if someone just had a
> little bit of knowledge about how your code works.
>
> Thus you have two options. One is of course to turn register_globals off,
> but ALWAYS ALWAYS _ALWAYS_ set a default for every variable you refer to in
> your script at some point before doing anything with it. So if you use $sql
> be 100% sure that it has been set $sql explicitly in your code before doing
> anything with it.
Whether you turn register_globals off or not, you need to always watch
cases like this. I have seen many people say that register_globals is
inherently insecure and then they turn it off and go through and use
something like $HTTP_POST_VARS['sql'] everywhere they used to use $sql.
This only makes it slightly more tedious to inject bogus variables into
since the attacker now needs to make a trivial little form to inject stuff
into the POST data instead of just sticking it onto the URL.
Security-wise there is no difference whatsoever.
Never never never trust user-supplied data implicitly. Always check
anything that could possibly come from the user. For internal variables,
always initialize them and just generally think things through as you
write your scripts. This is no different in PHP than in any other
scripting language used for web work.
-Rasmus
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
