register_global off
- Thread starter temi
- Start date
M
melkior_inactive
Guest
Well, if they are on than someone with too much time on his hands could hack your site easily. He could inject variables into your script without any problems.
P
Piotrek
Guest
Hi Guys,
Very interesting topic. I was wondering - does the source of the problem lie in applications security flows or in PHP itself? And which globals are the most voulnarable?
Thanks,
Piotrek
Very interesting topic. I was wondering - does the source of the problem lie in applications security flows or in PHP itself? And which globals are the most voulnarable?
Thanks,
Piotrek
M
melkior_inactive
Guest
The problem isn't in PHP, it's in bad programming.
For instance if register_globals is on then something like this might happen:
The page might be coded like this:
So when the script links to example.com/index.php?password=c3g4H2m
the user would be taken to admin area (note that this is a poor example since noone should code like this but you'll get the point).
So the script above would take the user to the Admin area if he provides the right password.
But, a hacker (or someone curious enough) might write this into his adress bar: example.com/index.php?authorised=1
He too would be taken to the Admin area.
The problem in the script above is that the $authorised variable was left uninitialized.
So to fix this security risk the code should be:
Thus by initializing the variable it doesn't matter what the hacker wrote since the variable is set to 0 on the first line.
But the safest way is to have register_globals off and than the code should look like this:
So, now your script accepts only the variable specified in the $_GET, and you can leave the $authorised uninitialized since noone can tamper with it.
Also note that the script above is very unsecure and it was written only as an example so noone should use it for an actual login.
For instance if register_globals is on then something like this might happen:
The page might be coded like this:
PHP:
if ($password=="c3g4H2m") {
$authorised="1";
}
if ($authorised == 1) header(Location: admin.php?login=true);the user would be taken to admin area (note that this is a poor example since noone should code like this but you'll get the point).
So the script above would take the user to the Admin area if he provides the right password.
But, a hacker (or someone curious enough) might write this into his adress bar: example.com/index.php?authorised=1
He too would be taken to the Admin area.
The problem in the script above is that the $authorised variable was left uninitialized.
So to fix this security risk the code should be:
PHP:
$authorised="0";
if ($password=="c3g4H2m") {
$authorised="1";
}
if ($authorised == 1) header(Location: admin.php?login=true);But the safest way is to have register_globals off and than the code should look like this:
PHP:
if ($_GET['password']=="c3g4H2m") {
$authorised="1";
}
if ($authorised == 1) header(Location: admin.php?login=true);Also note that the script above is very unsecure and it was written only as an example so noone should use it for an actual login.
M
melkior_inactive
Guest
Thanks Temi!
Bottom line is that it's best to have register_globals set to off and use associative arrays $_POST and $_GET in your scripts.
If you really have a need to set them to on or you can't change the setting than, make sure that all variables in your code are properly initialized.
Also note that it's quite possible that in the future versions of PHP register_globals will be set to off and that you wan't be able to change it.
Also a few tips:
if you want register_globals on (which I wouldn't recommend)
than you can put this into your .htaccess file:
And if you want to set them off (recommended)
than put this into your .htaccess file:
Bottom line is that it's best to have register_globals set to off and use associative arrays $_POST and $_GET in your scripts.
If you really have a need to set them to on or you can't change the setting than, make sure that all variables in your code are properly initialized.
Also note that it's quite possible that in the future versions of PHP register_globals will be set to off and that you wan't be able to change it.
Also a few tips:
if you want register_globals on (which I wouldn't recommend)
than you can put this into your .htaccess file:
Code:
php_flag register_globals onAnd if you want to set them off (recommended)
than put this into your .htaccess file:
Code:
php_flag register_globals off
P
Piotrek
Guest
Thanks very much Melky! That did explain a lot. And the drawback of globals was as I suspected bad programming not them itself.
I've read that $_GET table is rather not recommended for the reason the variables and values are also passed to the script in the url so they may be hacked the same way you described, right?
So this code:
Can also be hacked writting this:
For the same reason would this get me to the control panel as well:
Correct?
Or is the variable $authorised not accessible from outside the condition if?
And thanks for the tip about .htaccess commend. Do you by any chance know a nice guide to .htaccess managing?
Kind Regards,
Piotrek
I've read that $_GET table is rather not recommended for the reason the variables and values are also passed to the script in the url so they may be hacked the same way you described, right?
So this code:
PHP:
if ($_GET['password']=="c3g4H2m") {
$authorised="1";
}
if ($authorised == 1) header(Location: admin.php?login=true);
PHP:
script.php?authorised=1For the same reason would this get me to the control panel as well:
PHP:
admin.php?login=trueOr is the variable $authorised not accessible from outside the condition if?
And thanks for the tip about .htaccess commend. Do you by any chance know a nice guide to .htaccess managing?
Kind Regards,
Piotrek
M
melkior_inactive
Guest
No problem Piotrek! 
The code you wrote in the first PHP code block wouldn't be hacked by script.php?authorised=1 since I wrote that example for the registered_globals set to off so no outside influence on variables is allowed.
And yes, you could hack the script with admin.php?login=true, but that wasn't the point. I was just giving an example of some kind of access to the admin part.
Don't know about I guide for .htaccess files. I've never found one comprehensive enough. They usually tend give examples for only one group of settings. But when I get some free time, I'll create one.
The code you wrote in the first PHP code block wouldn't be hacked by script.php?authorised=1 since I wrote that example for the registered_globals set to off so no outside influence on variables is allowed.
And yes, you could hack the script with admin.php?login=true, but that wasn't the point. I was just giving an example of some kind of access to the admin part.
Don't know about I guide for .htaccess files. I've never found one comprehensive enough. They usually tend give examples for only one group of settings. But when I get some free time, I'll create one.
M
melkior_inactive
Guest
They're not recommended for logins, but for other parts of the script they are OK.
Logins are best managed by $_COOKIE and checking the data against the user database (username and the hashed password).
P
Piotrek
Guest
Yes, I know, sorry for pestering ;P
Wow, this would be awesome!
And I appreciate the advice about passwords, I will keep it in mind
Thanks very much!
Piotrek
Well, if they are on than somebody with too much time on his hands could hack your site well. He could inject variables into your book absent any troubles.
Similar threads
