p2p.wrox.com Forums

Need to download code?

View our list of code downloads.


  Return to Index  

beginning_php thread: Simple Question


Message #1 by Richard Holmes <holmesra@w...> on Tue, 25 Feb 2003 11:35:11 -0700
Sorry to bother with what I hope is a simple question:

Globals ( heheh I know everybody is rolling their Eyes)

Does the same security concerns about having Globals "on" apply if you 
are using the same page to do everything i.e. < form action="<? 
$PHP_SELF;?>" method="post">

versus using another page to perform the forms processing?

This question has been bugging me.

Thanks

-Rich Holmes

Message #2 by "Nikolai Devereaux" <yomama@u...> on Tue, 25 Feb 2003 11:19:23 -0800
> Sorry to bother with what I hope is a simple question:
>
> Globals ( heheh I know everybody is rolling their Eyes)
>
> Does the same security concerns about having Globals "on" apply if you
> are using the same page to do everything i.e. < form action="<?
> $PHP_SELF;?>" method="post">
>
> versus using another page to perform the forms processing?
>
> This question has been bugging me.


Yes, because you can't guarantee that the client will _ONLY_ request your
page using a self-referring form.

The danger of setting register_globals = on is that a user can send
malicious data to a web page by spoofing fake GET or POST data; just having
a form on the page that submits to itself has absolutely nothing to do with
those security risks, and cannot prevent someone from tacking on a
"&configvar=badvalue" type string to the end of the url.


Make sense?


Take care,

Nik

Message #3 by "Pedro Graca" <bzzzt@f...> on Tue, 25 Feb 2003 19:44:39 +0000
On Tue, 25 Feb 2003 11:35:11 -0700, Richard Holmes said:
> Sorry to bother with what I hope is a simple question:
> 
> Globals ( heheh I know everybody is rolling their Eyes)
> 
> Does the same security concerns about having Globals "on" apply if you 
> are using the same page to do everything i.e. < form action="<? 
> $PHP_SELF;?>" method="post">
> 
> versus using another page to perform the forms processing?
> 
> This question has been bugging me.
> 
> Thanks
> 
> -Rich Holmes
> 
> 
> 
-- 
                                            ()    ribbon campaign     ()
                                            /\   against HTML mail    /\
Message #4 by "Pedro Graca" <bzzzt@f...> on Tue, 25 Feb 2003 20:07:52 +0000
oops :)

On Tue, 25 Feb 2003 11:35:11 -0700, Richard Holmes said:
> Globals ( heheh I know everybody is rolling their Eyes)
> 
> Does the same security concerns about having Globals "on" apply if you 
> are using the same page to do everything i.e. < form action="<? 
> $PHP_SELF;?>" method="post">
> 
> versus using another page to perform the forms processing?

you *CANNOT* trust global variables, no matter where you use them!
the problem with global variables is everywhere where they're used.

problem is you don't know what they have ... if you save global $name
to a session and two pages after the save you get the $name, you have
no guarantees that it is the same $name that you saved previously: some
routine in your code may have changed it or the user may have changed it.

if you use a variable without initializing it, you're going to get into
trouble sooner or later

imagine you have only allow someone from a certain to IP to delete
records
  if ($_SERVER['REMOTE_ADDR'] = '10.2.3.4') {
    // delete records
  }

and a user types into the URL
  http://www.example.com/page?_SERVER[REMOTE_ADDR]=10.2.3.4

I really don't know what happens when register_globals is on ... with it
off
you get a $_GET variable -- users can't mess with $_SYSTEM (just checked
:)

same thing with $_SESSION
-- 
                                            ()    ribbon campaign     ()
                                            /\   against HTML mail    /\
Message #5 by Richard Holmes <holmesra@w...> on Tue, 25 Feb 2003 21:10:28 -0700
I just wanted to say thanks for clearing up the issues regarding the 
Globals. I understood partially but I really appreciate the 
explanations from everybody.

Once again , Thanks
-Rich


  Return to Index