Re: FN-FORUM: Register globals on or off??

date posted 8th May 2007 21:08

lee fogarty wrote:
>
> I have recieved a site recently that needs completing. The thing is,
> in the .htaccess file, register globals is forced on.
>
> Surely not a good thing?
>
> The only reason I ask is that I never have register globals on.
> However, this site wasn't done by an amature so I am starting to doubt
> whether my thoughts on site security are entirely accurate.
>

register_globals on can cause security problems for those who don't know
what they are doing. It makes scripts easy to hack when those scripts
rely on global variables, say one called $logged_in or $is_admin.

I have seen code which requires register_globals to be on to use some of
the older session functions that php provides. The code in question was
safe because all the variables and logic were in classes, and thereby
immune from the problem.

There were a few global variables, but they were properly defined.

An exploit would work on code like this:-



Calling this script with something like http://domain/script.php?is_admin=1

would show the problem.

Sticking "$is_admin=false;" as the first line would fix the code.


Regards

Richard

--
Artumi Systems, 58 Salmon Street, Sheffield, S11 8DD.
Tel 0114 250 7654, Web http://www.artumi.com
VAT Reg 889 0317 88