[PHP] Why is it dangerous to have register_globals on?
I have read in several places that is dangerous to have register_globals on, but I have not understood the (short) explanations given. Can anyone enlighten me? Euan Greig Technical Consultant BRANN DATA [EMAIL PROTECTED] 01285 645997 ** Any opinions expressed in this email are those of the individual and not necessarily the Company. This email and any files transmitted with it, including replies and forwarded copies (which may contain alterations) subsequently transmitted from the Company, are confidential and solely for the use of the intended recipient. If you are not the intended recipient or the person responsible for delivering to the intended recipient, be advised that you have received this email in error and that any use is strictly prohibited. ** -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Why is it dangerous to have register_globals on?
Actually it's not "dangerous" per se. However if can be very dangerous if you aren't being careful in your code, for instance, consider this. Let's say I've conditionally set $sql somewhere else in the code based upon certain conditions, which works fine. But let's say those conditions aren't met so $sql doesn't get set to anything since it's not really used. Now consider this code: if ($sql) { $result = mysql_query($sql); } Now that would be fine for all normal instances. But now what if someone appends this onto the end of your url: ?query= ...plus something like "DROP databasename". It doesn't take too much imagination to see what kind of things could happen if someone just had a little bit of knowledge about how your code works. Thus you have two options. One is of course to turn register_globals off, but ALWAYS ALWAYS _ALWAYS_ set a default for every variable you refer to in your script at some point before doing anything with it. So if you use $sql be 100% sure that it has been set $sql explicitly in your code before doing anything with it. -- Plutarck Should be working on something... ...but forgot what it was. ""Greig, Euan"" <[EMAIL PROTECTED]> wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > I have read in several places that is dangerous to have register_globals on, but I have not understood the (short) explanations given. Can anyone enlighten me? > > Euan Greig > Technical Consultant > BRANN DATA > [EMAIL PROTECTED] > 01285 645997 > > > > > > ** > Any opinions expressed in this email are those of the individual and > not necessarily the Company. This email and any files transmitted with > it, including replies and forwarded copies (which may contain alterations) > subsequently transmitted from the Company, are confidential and solely for > the use of the intended recipient. If you are not the intended recipient > or the person responsible for delivering to the intended recipient, be > advised that you have received this email in error and that any use is > strictly prohibited. > > ** > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > To contact the list administrators, e-mail: [EMAIL PROTECTED] > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Why is it dangerous to have register_globals on?
> Actually it's not "dangerous" per se. > > However if can be very dangerous if you aren't being careful in your code, > for instance, consider this. > > Let's say I've conditionally set $sql somewhere else in the code based upon > certain conditions, which works fine. But let's say those conditions aren't > met so $sql doesn't get set to anything since it's not really used. Now > consider this code: > > if ($sql) > { > $result = mysql_query($sql); > } > > Now that would be fine for all normal instances. But now what if someone > appends this onto the end of your url: > > ?query= > > ...plus something like "DROP databasename". It doesn't take too much > imagination to see what kind of things could happen if someone just had a > little bit of knowledge about how your code works. > > Thus you have two options. One is of course to turn register_globals off, > but ALWAYS ALWAYS _ALWAYS_ set a default for every variable you refer to in > your script at some point before doing anything with it. So if you use $sql > be 100% sure that it has been set $sql explicitly in your code before doing > anything with it. Whether you turn register_globals off or not, you need to always watch cases like this. I have seen many people say that register_globals is inherently insecure and then they turn it off and go through and use something like $HTTP_POST_VARS['sql'] everywhere they used to use $sql. This only makes it slightly more tedious to inject bogus variables into since the attacker now needs to make a trivial little form to inject stuff into the POST data instead of just sticking it onto the URL. Security-wise there is no difference whatsoever. Never never never trust user-supplied data implicitly. Always check anything that could possibly come from the user. For internal variables, always initialize them and just generally think things through as you write your scripts. This is no different in PHP than in any other scripting language used for web work. -Rasmus -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] Why is it dangerous to have register_globals on?
Francois Legare [EMAIL PROTECTED] > -Original Message- > From: Rasmus Lerdorf [mailto:[EMAIL PROTECTED]] > Sent: April 23, 2001 9:30 PM > To: Plutarck > Cc: [EMAIL PROTECTED] > Subject: Re: [PHP] Why is it dangerous to have register_globals on? > Never never never trust user-supplied data implicitly. Always check > anything that could possibly come from the user. For internal variables, > always initialize them and just generally think things through as you > write your scripts. This is no different in PHP than in any other > scripting language used for web work. > > -Rasmus Hi Rasmus, can you, or anyone else, give more examples to help me understand what you mean by "generally think things through" or give pointer(s) on the web where this topic is being discussed and plenty of examples are given. Actually, any advices, tips and tricks on how to code securely and how to make sure user-supplied data are never implicitly trusted would be more than welcomed. thanks -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Why is it dangerous to have register_globals on?
On Monday 23 April 2001 11:56, Greig, Euan wrote: > I have read in several places that is dangerous to have register_globals > on, but I have not understood the (short) explanations given. Can anyone > enlighten me? keep it a rule to either unset any variable that you use or set them with a default value. how awfully nice register_globals is, I've started to be more aware and use of HTTP_POST_VARS and HTTP_GET_VARS in case someone get a wild idea to abuse some of my products. they might get some dangerous stuff, I can't imagine their fantasy so I just let them have as little chance as possible :) -- php developer / CoreTrek AS| TV is chewing gum for the eyes. -- Sandnes / Rogaland / Norway| Frank Lloyd Wright web: http://www.moijk.net/ | -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Why is it dangerous to have register_globals on?
Now I understand! I hadn't twigged to the danger of _internal_ variables getting overwritten by bogus get/post variables. Thanks to you all. Euan "Rasmus Lerdorf" <[EMAIL PROTECTED]> wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > Actually it's not "dangerous" per se. > > > > However if can be very dangerous if you aren't being careful in your code, > > for instance, consider this. > > > > Let's say I've conditionally set $sql somewhere else in the code based upon > > certain conditions, which works fine. But let's say those conditions aren't > > met so $sql doesn't get set to anything since it's not really used. Now > > consider this code: > > > > if ($sql) > > { > > $result = mysql_query($sql); > > } > > > > Now that would be fine for all normal instances. But now what if someone > > appends this onto the end of your url: > > > > ?query= > > > > ...plus something like "DROP databasename". It doesn't take too much > > imagination to see what kind of things could happen if someone just had a > > little bit of knowledge about how your code works. > > > > Thus you have two options. One is of course to turn register_globals off, > > but ALWAYS ALWAYS _ALWAYS_ set a default for every variable you refer to in > > your script at some point before doing anything with it. So if you use $sql > > be 100% sure that it has been set $sql explicitly in your code before doing > > anything with it. > > Whether you turn register_globals off or not, you need to always watch > cases like this. I have seen many people say that register_globals is > inherently insecure and then they turn it off and go through and use > something like $HTTP_POST_VARS['sql'] everywhere they used to use $sql. > This only makes it slightly more tedious to inject bogus variables into > since the attacker now needs to make a trivial little form to inject stuff > into the POST data instead of just sticking it onto the URL. > Security-wise there is no difference whatsoever. > > Never never never trust user-supplied data implicitly. Always check > anything that could possibly come from the user. For internal variables, > always initialize them and just generally think things through as you > write your scripts. This is no different in PHP than in any other > scripting language used for web work. > > -Rasmus > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > To contact the list administrators, e-mail: [EMAIL PROTECTED] > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]