NYCPHP Meetup

[nycphp-talk] Question

Hans Zaunere zaunere at yahoo.com
Thu Jun 13 21:19:16 EDT 2002


register_globals is certainly the issue here, as later versions come
with it off by default.  And I HIGHLY recommend working your code with
register_globals off.  Although it may be a quick fix to turn it on
now, register_globals is deprecated and will be nonexistent soon, not
to mention the security and performance implications.

HZ


--- Larry Chuon <LarryC at indexstock.com> wrote:
> I use v4.2.1.  A colleague of mine forwarded me this which makes
> sense.
> 
> Using Register Globals
> One feature of PHP that can be used to enhance security is
> configuring PHP
> with register_globals = off.
> By turning off the ability for any user-submitted variable to be
> injected
> into PHP code, you can reduce
> the amount of variable poisoning a potential attacker may inflict.
> They will
> have to take the additional
> time to forge submissions, and your internal variables are
> effectively
> isolated from user submitted data.
> While it does slightly increase the amount of effort required to work
> with
> PHP, it has been argued that
> the benefits far outweigh the effort.
> Example 4-8. Working without register_globals=off
> <?php
> if ($username) { // can be forged by a user in get/post/cookies
> $good_login = 1;
> }
> if ($good_login == 1) { // can be forged by a user in
> get/post/cookies,
> fpassthru ("/highly/sensitive/data/index.html");
> }
> ?>
> Example 4-9. Working with register_globals = off
> <?php
> if($HTTP_COOKIE_VARS['username']){
> // can only come from a cookie, forged or otherwise
> $good_login = 1;
> fpassthru ("/highly/sensitive/data/index.html");
> }
> ?>
> By using this wisely, it's even possible to take preventative
> measures to
> warn when forging is being
> attempted. If you know ahead of time exactly where a variable should
> be
> coming from, you can check to
> see if submitted data is coming from an inappropriate kind of
> submission.
> While it doesn't guarantee that
> data has not been forged, it does require an attacker to guess the
> right
> kind of forging.
> Example 4-10. Detecting simple variable poisoning
> <?php
> if ($HTTP_COOKIE_VARS['username'] &&
> !$HTTP_POST_VARS['username'] &&
> !$HTTP_GET_VARS['username'] ) {
> // Perform other checks to validate the user name...
> $good_login = 1;
> fpassthru ("/highly/sensitive/data/index.html");
> } else {
> mail("admin at example.com", "Possible breakin attempt",
> $HTTP_SERVER_VARS['REMOTE_ADDR']);
> echo "Security violation, admin has been alerted.";
> exit;
> }
> ?>
> Of course, simply turning on register globals does not mean code is
> secure.
> For every piece of data that is
> submitted, it should also be checked in other ways.
> 
> -----Original Message-----
> From: ken wu [mailto:ken_11223 at yahoo.com]
> Sent: Monday, June 10, 2002 6:56 PM
> To: NYPHP Talk
> Subject: Re: [nycphp-talk] Question
> 
> 
> are you running php4.1.2 or above? i know it is
> slightly different to deal with the form variables if
> u running such versions of php.  For example. u have
> to echo $HTTP_POST_VARS['first'} which is the form
> variables.  But i know that if u use the php 4.0.6 or
> below. u don't have to do so. just simply use $first
> or $last.  
> 
> 
>  
> --- Larry Chuon <LarryC at indexstock.com> wrote:
> > <paralist>This message contained 1 file(s) and is
> > available at
> >
> http://nyphp.org/list/paralist_archive.html?L_mid=364</paralist>
> > 
> > I'm working on a sample code and have some
> > questions.  My php and html files
> > are below.  I'm running on IIS and MySQL.  This code
> > gives me the following
> > error:
> >  
> >  
> > Notice: Undefined variable: first in
> > d:\\example\\datain.php on line 5
> > 
> > Notice: Undefined variable: last in
> > d:\\example\\datain.php on line 5
> > 
> > Notice: Undefined variable: nickname in
> > d:\\example\\datain.php on line 5
> > 
> > Notice: Undefined variable: email in
> > d:\\example\\datain.php on line 5
> > 
> > Notice: Undefined variable: salary in
> > d:\\example\\datain.php on line 5
> > Thank you! Information entered. 
> >  
> > If I add the following lines prior to the insert
> > statement, it works fine.
> > $first = $HTTP_POST_VARS['first'];
> > 
> > $last = $HTTP_POST_VARS['last'];
> > 
> > $nickname = $HTTP_POST_VARS['nickname'];
> > 
> > $email = $HTTP_POST_VARS['email'];
> > 
> > $salary = $HTTP_POST_VARS['salary'];
> > 
> > Why do I need $HTTP_POST_VARS???? Thanks in advance.
> >  
> > --------------------
> >  
> > datain.php
> > <html>
> > 
> > <?php
> > 
> > $db = mysql_connect("172.21.6.25","root","123456");
> > 
> > mysql_select_db("learndb",$db);
> > 
> > $sql="insert into personnel (firstname, lastname,
> > nick, email, salary)
> > VALUES
> > ('$first','$last','$nickname','$email','$salary')";
> > 
> > $result = mysql_query($sql);
> > 
> > echo "Thank you! Information entered.\
";
> > 
> > ?>
> > 
> > </html>
> > 
> >  
> > datain.html
> > <html>
> > 
> > <body>
> > 
> > <form action="datain.php" method="post">
> > 
> > First name:<input type="text" name="first"><br>
> > 
> > Last name:<input type="text" name="last"><br>
> > 
> > Nick name:<input type="text" name="nickname"><br>
> > 
> > E-mail:<input type="text" name="email"><br>
> > 
> > Salary:<input type="text" name="salary"><br>
> > 
> > <input type="Submit" name="submit" value="Enter
> > information">
> > 
> > </form>
> > 
> > </body>
> > 
> > </html> 
> > 
> > 
> > 
> 
> 
> =====
> Ken Wu
> 
> 718-788-0661
> 168 35 Street Apt 2
> Broooklyn, NY 11232-2320
> 
> http://www.kenfile.com
> 
> __________________________________________________
> Do You Yahoo!?
> Yahoo! - Official partner of 2002 FIFA World Cup
> http://fifaworldcup.yahoo.com
> 


__________________________________________________
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com



More information about the talk mailing list