Hudzilla.org - the homepage of Paul Hudson
Contents > Security concerns > Programming secure PHP Wish List | Report Bug | About Me ]

17.1.1     register_globals

This is NOT the latest copy of this book; click here for the latest version.

We have already briefly looked at how setting the register_globals variable in your php.ini makes a big difference to the security of your site. By default, register_globals is disabled - you need to use the superglobal arrays $_GET, $_POST, etc, to get the contents of forms you receive. It is strongly recommended you leave register_globals set to off and use the superglobals - doing otherwise leaves you wide open to attack.

The "security through obscurity" thinking of "if no one knows what variables I use, they will not be able to set them themselves" is not worth risking - never trust user data, particularly when working with a database. For example, consider this query:

UPDATE $table SET ReadCount = ReadCount + 1 WHERE MessageID = $MID;

That is an example query for a mythical messageboard that tracks how many times a message has been read. Each time a message is loaded, that query is executed to increment its "ReadCount" number. The $table and $MID parts would be substituted by PHP to be the name of the messageboard table and the current message ID being viewed.

Now, what would happen if a malicious user passed in $table like this:

mypage.php?table=admin SET Password = 'foo';#

The SQL statement would now look like this:

UPDATE admin SET Password = 'foo';# SET ReadCount = ReadCount + 1 WHERE MessageID = $MID;

As you know, # is an SQL comment, which means that everything after the # is ignored, leaving the query as this:

UPDATE admin SET Password = 'foo';

This malicious visitor just set the password of all administrators to "foo"! The way in from there is a cinch, and soon they have complete control over the web site - this hack is commonly referred to as SQL injection.

You are probably sick of reading this, but I will try to make it the last time: do not trust user data!





<< 17.1 Programming secure PHP   17.1.2 Choose your file extension carefully >>
Table of Contents
 Want to see this stuff in print? PHP in a Nutshell takes the core topics covered here, adds in thousands of edits from the editorial team and myself, and combines them to make an unbeatable reference for PHP programmers at all levels.



My latest book has hundreds more tips on how to use PHP, Apache, and MySQL, plus Perl, Python, shell scripts, performance tuning, and more!
Top-right shadow
 
Bottom-left shadow Bottom shadow

Comments from other readers
jjkola@email.com - 06 Sep 2008
Hello!

I have used a solution on my website which deals with this kind of things. The code goes through _GET,_POST and _COOKIE variables and checks if specified variable name is defined and if it finds it unsets. This way even if register_globals is on the site would works as if register_globals would be off. Only thing you need to remember is to check if variable name happens to be some of the superglobals because you don't want to unset those (it's very easy way to make your script crash).

Regards,

Jyrki Jaakkola



Add comment
Please note that by posting a comment here you are committing it to the public domain. This is important so that others can make use of your code themselves, and also so that I can incorporate helpful notes directly into the main text. Comments are limited to 2000 characters in length.

If you are reporting an error in the content, please tell me directly.

Your name/email address:
Your comment:
 
Now, in order to verify that you're a real person, please answer this simple question: what is three plus ten?
The answer is:
(please write in
numbers, eg 19)


Top-right shadow
 
Bottom-left shadow Bottom shadow

This website and its content is copyright © Paul Hudson 2005, all rights reserved.