Please login or register.

Login with username, password and session length
Advanced search  

Author Topic: Learning PHP - register_globals  (Read 3697 times)

Jochum Meester

  • Sr. Member
  • ****
  • Karma: 1
  • Posts: 309
    • JochumMeester.com
Learning PHP - register_globals
« on: August 19, 2006, 05:38:09 pm »

Hi all, I've just bought two books about PHP (and MySQL) and now I'm reading things about using forms and the form methods POST and GET. There's also a piece of text about register_globals and that they advise you to have them turned 'off' for better security. What is your stand on this? What if your hosting provider has them set 'on'? Is there any extra security (script-wise) needed if they're set 'on' (which is the case with my provider)? And, on an important sidenote, will it have effect on my sNews installation, is it more vulnerable?
Logged

Patric Ahlqvist

  • Nobodys perfect, but Im pretty effing close
  • ULTIMATE member
  • ******
  • Karma: 65
  • Posts: 4867
  • I'm a self-made man and worships my creator.
    • p-ahlqvist.com
Learning PHP - register_globals
« Reply #1 on: August 19, 2006, 05:52:33 pm »

I have it on aswell, due to some script, GB or Plogger, dunno which it is. I'm also interested in what can happen here... Why is it more secure to have them off ?
Logged
"It's only dead fish that goes with the flow... "
Updated

Jochum Meester

  • Sr. Member
  • ****
  • Karma: 1
  • Posts: 309
    • JochumMeester.com
Learning PHP - register_globals
« Reply #2 on: August 19, 2006, 05:57:38 pm »

The book says 'hackers' could insert the name of the fields in the form and that way override any settings you made for the complete script. The example they used (translated from Dutch):

Names of parameters can be seen by anyone, just open the source and you'll see what the names of the input-fields are. Now if you have a form to authenticate a user and you also use this:
Code: [Select]
if (authenticate_user()) {
  $authenticated = true;
}
Then a hacker could submit a form, in which he/she would include the field 'authenticated' which would (somehow lol) make the '$authenticated' set to true and give him whatever permissions a authenticated user has.

Someone back me up please, perhaps with a better explanation, as I've just copied this from the book.

Edit: the bold text; does it mean that if a hacker would copy your form, save it on his own hosting but have the action set to your site again and add a field 'authenticated' that this would work??
Edit2: lol I'm so confusing sometimes haha
Logged

Luka

  • Administrator
  • ULTIMATE member
  • ******
  • Karma: 36
  • Posts: 1717
    • http://www.snewscms.com
Learning PHP - register_globals
« Reply #3 on: August 19, 2006, 06:46:30 pm »

sNews is written so it doesn't use register globals so it works on both configurations. It's always good to make your code work on any server but that's not easy to accomplish.
Logged

philmoz

  • High flyer
  • ULTIMATE member
  • ******
  • Karma: 161
  • Posts: 1988
    • fiddle 'n fly
Learning PHP - register_globals
« Reply #4 on: August 28, 2006, 04:05:16 pm »

Quote from: Luka
sNews is written so it doesn't use register globals so it works on both configurations. It's always good to make your code work on any server but that's not easy to accomplish.
Agree whole heartedly code should work on any server.

Does 1.5 work on server with short-open-tags disabled? ;)


Just thought I should ask.
Logged
Of all the things I have lost, it is my mind that I miss the most.

Luka

  • Administrator
  • ULTIMATE member
  • ******
  • Karma: 36
  • Posts: 1717
    • http://www.snewscms.com
Learning PHP - register_globals
« Reply #5 on: August 28, 2006, 04:21:11 pm »

Quote from: philmoz
Quote from: Luka
sNews is written so it doesn't use register globals so it works on both configurations. It's always good to make your code work on any server but that's not easy to accomplish.
Agree whole heartedly code should work on any server.

Does 1.5 work on server with short-open-tags disabled? ;)


Just thought I should ask.
We replaced all
Logged