Follow Slashdot blog updates by subscribing to our blog RSS feed

 


Forgot your password?
Close
typodupeerror
×
PHP

Journal yintercept's Journal: Register Globals Off

Journal by yintercept

I admit, I am one of those programmers who became addicted to the register globals feature of PHP. This feature was defaulted on in PHP 4. I moved to a new host and PHP 5 where it is off, and all my programs are broken.

The register global feature made it so all of the GET and POST elements would appear in a PHP program as variables. Hackers quickly learned that you can sometimes break into a site simply by hitting the site with random variables ... hoping to find a variable that was not properly initialized.

My way around this security threat was to put everything in functions. My hope was that the parameter list for the function would filter out any hacks. If you pressed a submit button on a form with inputs "one", "two" and "three"; the data would simply go straight into a function with parameters ($one,$two,$three). Any additional variables thrown by a hacker would be ignored.

Because I feel comfortable that the parameter list does a sufficient job of filtering out additional variables. I might consider running extract($_POST,EXTR_SKIP) to simply simulate Register Globals On. All of the pages I read say that this is a very bad idea.

I also thought about running the following code:

$varList = array('one'=>'int', 'two'=>'str', 'three'=>'int');

foreach($_REQUEST AS $key => $value) {
if ($varList[$key] == 'int') {
${$key} = (int) $value;
} elseif ($varType[$key] == 'str') {
${$key} = strValidation($value);
}
}

It seems that the above code would let me specify what elements I want in the program's symbol table. Of course, I am also thinking about just using the data directly from $_POST and $_GET. It is a hassle.

Having register globals off is a hassle. I am not sure if I am gaining any additional security by going through all the brain damage needed to handle this change.

BTW, in reading different pages on this issue, I've found several people who seem to have the illusion that POST data is somehow more secure than GET data. All a hacker needs to do to play with POST data is save your form to a disk then put whatever they want in the input fields. People can change the data in cookies. Anything that comes from the web is a security.

This discussion has been archived. No new comments can be posted.

Register Globals Off More

Register Globals Off

Comments Filter:

Slashdot Top Deals

Thus spake the master programmer: "After three days without programming, life becomes meaningless." -- Geoffrey James, "The Tao of Programming"

Close