[nycphp-talk] Question
Larry Chuon
LarryC at indexstock.com
Tue Jun 11 09:41:24 EDT 2002
I use v4.2.1. A colleague of mine forwarded me this which makes sense.
Using Register Globals
One feature of PHP that can be used to enhance security is configuring PHP
with register_globals = off.
By turning off the ability for any user-submitted variable to be injected
into PHP code, you can reduce
the amount of variable poisoning a potential attacker may inflict. They will
have to take the additional
time to forge submissions, and your internal variables are effectively
isolated from user submitted data.
While it does slightly increase the amount of effort required to work with
PHP, it has been argued that
the benefits far outweigh the effort.
Example 4-8. Working without register_globals=off
<?php
if ($username) { // can be forged by a user in get/post/cookies
$good_login = 1;
}
if ($good_login == 1) { // can be forged by a user in get/post/cookies,
fpassthru ("/highly/sensitive/data/index.html");
}
?>
Example 4-9. Working with register_globals = off
<?php
if($HTTP_COOKIE_VARS['username']){
// can only come from a cookie, forged or otherwise
$good_login = 1;
fpassthru ("/highly/sensitive/data/index.html");
}
?>
By using this wisely, it's even possible to take preventative measures to
warn when forging is being
attempted. If you know ahead of time exactly where a variable should be
coming from, you can check to
see if submitted data is coming from an inappropriate kind of submission.
While it doesn't guarantee that
data has not been forged, it does require an attacker to guess the right
kind of forging.
Example 4-10. Detecting simple variable poisoning
<?php
if ($HTTP_COOKIE_VARS['username'] &&
!$HTTP_POST_VARS['username'] &&
!$HTTP_GET_VARS['username'] ) {
// Perform other checks to validate the user name...
$good_login = 1;
fpassthru ("/highly/sensitive/data/index.html");
} else {
mail("admin at example.com", "Possible breakin attempt",
$HTTP_SERVER_VARS['REMOTE_ADDR']);
echo "Security violation, admin has been alerted.";
exit;
}
?>
Of course, simply turning on register globals does not mean code is secure.
For every piece of data that is
submitted, it should also be checked in other ways.
-----Original Message-----
From: ken wu [mailto:ken_11223 at yahoo.com]
Sent: Monday, June 10, 2002 6:56 PM
To: NYPHP Talk
Subject: Re: [nycphp-talk] Question
are you running php4.1.2 or above? i know it is
slightly different to deal with the form variables if
u running such versions of php. For example. u have
to echo $HTTP_POST_VARS['first'} which is the form
variables. But i know that if u use the php 4.0.6 or
below. u don't have to do so. just simply use $first
or $last.
--- Larry Chuon <LarryC at indexstock.com> wrote:
> <paralist>This message contained 1 file(s) and is
> available at
>
http://nyphp.org/list/paralist_archive.html?L_mid=364</paralist>
>
> I'm working on a sample code and have some
> questions. My php and html files
> are below. I'm running on IIS and MySQL. This code
> gives me the following
> error:
>
>
> Notice: Undefined variable: first in
> d:\\example\\datain.php on line 5
>
> Notice: Undefined variable: last in
> d:\\example\\datain.php on line 5
>
> Notice: Undefined variable: nickname in
> d:\\example\\datain.php on line 5
>
> Notice: Undefined variable: email in
> d:\\example\\datain.php on line 5
>
> Notice: Undefined variable: salary in
> d:\\example\\datain.php on line 5
> Thank you! Information entered.
>
> If I add the following lines prior to the insert
> statement, it works fine.
> $first = $HTTP_POST_VARS['first'];
>
> $last = $HTTP_POST_VARS['last'];
>
> $nickname = $HTTP_POST_VARS['nickname'];
>
> $email = $HTTP_POST_VARS['email'];
>
> $salary = $HTTP_POST_VARS['salary'];
>
> Why do I need $HTTP_POST_VARS???? Thanks in advance.
>
> --------------------
>
> datain.php
> <html>
>
> <?php
>
> $db = mysql_connect("172.21.6.25","root","123456");
>
> mysql_select_db("learndb",$db);
>
> $sql="insert into personnel (firstname, lastname,
> nick, email, salary)
> VALUES
> ('$first','$last','$nickname','$email','$salary')";
>
> $result = mysql_query($sql);
>
> echo "Thank you! Information entered.\
";
>
> ?>
>
> </html>
>
>
> datain.html
> <html>
>
> <body>
>
> <form action="datain.php" method="post">
>
> First name:<input type="text" name="first"><br>
>
> Last name:<input type="text" name="last"><br>
>
> Nick name:<input type="text" name="nickname"><br>
>
> E-mail:<input type="text" name="email"><br>
>
> Salary:<input type="text" name="salary"><br>
>
> <input type="Submit" name="submit" value="Enter
> information">
>
> </form>
>
> </body>
>
> </html>
>
>
>
=====
Ken Wu
718-788-0661
168 35 Street Apt 2
Broooklyn, NY 11232-2320
http://www.kenfile.com
__________________________________________________
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com
More information about the talk
mailing list