[PHP] Good Practice: Variables, Error Reporting and Security

2002-10-04 Thread Adam Royle 

Hi All,

I have been a subscriber of php-db for quite some time, and I have seen 
MANY ppl ask why their variables aren't being passed though, etc, due 
to register_globals, etc, blah blah blah

I have kept my eyes open reading all the material I can, and I 
understand the security implications of certain programming actions.

Like most programmers, I am lazy. I prefer to construct functions to do 
the hard work for me. Before the register_globals issue was widespread, 
I loved programming in PHP (compared to ASP), because of the automatic 
passing of variables from page to page (also, referencing undefined 
variables without a hitch).I had some techniques to deal with security, 
and other things, so register_globals = on wasn't such big deal for me. 
But I acknowledge that if I do contract work for a business, and their 
server is set to

I have set my php.ini to E_ALL and register_globals = off, etc, 
although I don't want to have to do $var = $_GET['var'] for each 
variable i want imported. I have also noted people are using 
$HTTP_GET_VARS['var'] to allow for older php compatibility. But doing 
it this way reminds me too much of ASP.

Now, my question is, has anyone created functions or developed 
techniques to prevent obvious security breaches and also not collapse 
when using E_ALL? I have read somewhere that some people wrote a 
function which would accept an array of variable names (and 
get,post,session flag etc), and globalize all of those variables listed.

Such an example (i imagine) would be something like this:

import_vars( GET, array('id','var2','name') );

Now I don't think that I would have any troubles writing this sort of a 
function, although I was wondering if anyone had already considered 
this approach, or decided on a better solution. Really, I don't want to 
have to do isset(), etc on all my vars when using them. What I could 
deal with is having one line, where I list all the variables i use on 
the page, and it either imports it or creates an empty string if not 
found (therefore initializing it).

What do you all think of this approach?

PS. Sorry if this is talked about WAY too much on these lists, but I 
think this is a more informative thread for people who know about 
register_globals etc, but want scripting to be easier (and faster) with 
PHP, but still maintaining a good code structure (and sensible 
programming logic).

Adam


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Good Practice: Variables, Error Reporting and Security

2002-10-04 Thread Maxim Maletsky 


On Fri, 4 Oct 2002 20:50:32 +1000
Adam Royle [EMAIL PROTECTED] wrote:

 Hi All,
 
 I have been a subscriber of php-db for quite some time, and I have seen 
 MANY ppl ask why their variables aren't being passed though, etc, due 
 to register_globals, etc, blah blah blah
 
 I have kept my eyes open reading all the material I can, and I 
 understand the security implications of certain programming actions.
 
 Like most programmers, I am lazy. I prefer to construct functions to do 
 the hard work for me. Before the register_globals issue was widespread, 
 I loved programming in PHP (compared to ASP), because of the automatic 
 passing of variables from page to page (also, referencing undefined 
 variables without a hitch).I had some techniques to deal with security, 
 and other things, so register_globals = on wasn't such big deal for me. 
 But I acknowledge that if I do contract work for a business, and their 
 server is set to

Not only that it is better security-wise, but also it helps you
differentiate between SERVER, GET, POST, COOKIES and SESSION variables.
Say, you need to always read a session variable called 'id', then, you
install some app that passes 'id' in GET. Isn't it better own the entire
control on the things?

 I have set my php.ini to E_ALL and register_globals = off, etc, 
 although I don't want to have to do $var = $_GET['var'] for each 
 variable i want imported. I have also noted people are using 
 $HTTP_GET_VARS['var'] to allow for older php compatibility. But doing 
 it this way reminds me too much of ASP.

Who cares of ASP? I don't.

 Now, my question is, has anyone created functions or developed 
 techniques to prevent obvious security breaches and also not collapse 
 when using E_ALL? I have read somewhere that some people wrote a 
 function which would accept an array of variable names (and 
 get,post,session flag etc), and globalize all of those variables listed.
 
 Such an example (i imagine) would be something like this:
 
 import_vars( GET, array('id','var2','name') );

I made one. Here:

// Alter variables for the versions prior to 4.1.0
// NOTE: $_REQUEST global variable is NOT supported.
if(strnatcasecmp('4.1.0', PHP_VERSION)=0) {
foreach(Array(
 '_GET'  = 'HTTP_GET_VARS'
,'_POST' = 'HTTP_POST_VARS'
,'_COOKIE'   = 'HTTP_COOKIE_VARS'
,'_SESSION'  = 'HTTP_SESSION_VARS'
,'_SERVER'   = 'HTTP_SERVER_VARS'
,'_ENV'  = 'HTTP_ENV_VARS'
,'_FILES'= 'HTTP_POST_FILES'
) as $transvar['new']=$transvar['old']) {
if(isset($$transvar['old']) and is_array($$transvar['old'])) {
$GLOBALS[$transvar['new']] = $$transvar['old'];
}
}
// Unset transvar, we do not need it anymore.
unset($transvar);
}



 Now I don't think that I would have any troubles writing this sort of a 
 function, although I was wondering if anyone had already considered 
 this approach, or decided on a better solution. Really, I don't want to 
 have to do isset(), etc on all my vars when using them. What I could 
 deal with is having one line, where I list all the variables i use on 
 the page, and it either imports it or creates an empty string if not 
 found (therefore initializing it).
 
 What do you all think of this approach?

Well, if you really care then maybe the approach should be:

if PHP version is less than v4.1.0 then start up a file with the code
that gets the HTTP_*_VARS and changes them into $_GET, $_POST etc... 
this makes you being more compatible

 
 PS. Sorry if this is talked about WAY too much on these lists, but I 
 think this is a more informative thread for people who know about 
 register_globals etc, but want scripting to be easier (and faster) with 
 PHP, but still maintaining a good code structure (and sensible 
 programming logic).

One thing to add:

ever asked yourself why people, after retrieving some data from DB call
their variables similar like: $recID and not just $id or $dbTime and not
just $time? Obviously to differentiate between the origins of data. Now,
if you understood what I meant here, why using $id within the script
instead of $_GET['id'] or $_SESSION['id'] ? Isn't is a cleaner, rather
elegant code? That is a good practice. You shouldn't be lazy writing 6
more characters for a variable... You'd do that anyway for the data
names because would be confused :)

Maxim Maletsky
[EMAIL PROTECTED]

www.PHPBeginner.com  // where PHP Begins


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] Good Practice: Variables, Error Reporting and Security

2002-10-04 Thread Jay Blanchard 

[snip]
I made one. Here:

// Alter variables for the versions prior to 4.1.0
// NOTE: $_REQUEST global variable is NOT supported.
if(strnatcasecmp('4.1.0', PHP_VERSION)=0) {
foreach(Array(
 '_GET'  = 'HTTP_GET_VARS'
,'_POST' = 'HTTP_POST_VARS'
,'_COOKIE'   = 'HTTP_COOKIE_VARS'
,'_SESSION'  = 'HTTP_SESSION_VARS'
,'_SERVER'   = 'HTTP_SERVER_VARS'
,'_ENV'  = 'HTTP_ENV_VARS'
,'_FILES'= 'HTTP_POST_FILES'
) as $transvar['new']=$transvar['old']) {
if(isset($$transvar['old']) and is_array($$transvar['old'])) {
$GLOBALS[$transvar['new']] = $$transvar['old'];
}
}
// Unset transvar, we do not need it anymore.
unset($transvar);
}
One thing to add:

ever asked yourself why people, after retrieving some data from DB call
their variables similar like: $recID and not just $id or $dbTime and not
just $time? Obviously to differentiate between the origins of data. Now,
if you understood what I meant here, why using $id within the script
instead of $_GET['id'] or $_SESSION['id'] ? Isn't is a cleaner, rather
elegant code? That is a good practice. You shouldn't be lazy writing 6
more characters for a variable... You'd do that anyway for the data
names because would be confused :)
[/snip]


This points out a system wide concern, self-taught developers (Not that
there is anything wrong with that! :^]) and coders who have come to the
party from a new path where they learned there thing by reading, surfing,
and hacking until they got it right. They have missed out on things like
significant notation or Hungarian notation, planning, charting, and many
other factors that enter into the equation. The recent register globals
discussion points this out clearly.

Having worked with a couple of developers who came down this path and
watching the outright surprise and shock on their faces when flowcharts,
variable keys, and other pre-code documentation are requested in project
meetings it is no surprise that many find the register globals update
inconvenient. What if PHP had strongly typed variables? (BTW, using the
$_GET, $_POST, etc is a move in that direction, a good thing ...) Maxim, you
are dead on with this!

Here is some good reading for variable naming, a good place to start;

http://www.google.com/search?hl=enie=UTF-8oe=UTF-8q=Hungarian+notation

Jay

Now, if I could only get a book deal to write about this 



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php