Re: register_globals in php4

To: "Christian G. Warden" <cwarden@xerus.org>
Cc: debian-security@lists.debian.org
Subject: Re: register_globals in php4
From: Patrick Hsieh <pahud@pahud.net>
Date: Fri, 10 May 2002 01:11:41 +0800
Message-id: <[🔎] 20020510010704.2CCD.PAHUD@pahud.net>
In-reply-to: <[🔎] 20020509095102.A22028@xerus.org>
References: <[🔎] 20020510000423.B03F.PAHUD@pahud.net> <[🔎] 20020509095102.A22028@xerus.org>

Hello "Christian G. Warden" <cwarden@xerus.org>,

Yes. But when a user type the url something like login.php?id=fakeid
Then $HTTP_GET_VARS['id'] and $_GET['id'] will also get "fakeid", right?
How do I avoid users affecting the system by changing the variable
values in the URL directly? If not, is there any way to protect myself
from malicious url injection attack?





On Thu, 9 May 2002 09:51:02 -0700
"Christian G. Warden" <cwarden@xerus.org> wrote:

> one of the php lists is probably a better forum for this question, but
> in short, register_globals=off means that if you want to use the "id"
> variable passed in the query string by the browser, you would access it as
> $HTTP_GET_VARS['id'], or $_GET['id'] in 4.1+, rather than $id.  more info
> at http://www.php.net/manual/en/language.variables.predefined.php
> 
> xn
> 
> On Fri, May 10, 2002 at 12:09:22AM +0800, Patrick Hsieh wrote:
> > Hello list,
> > 
> > php4.1 recommends to set register_globals=off in php.ini to make php
> > more strict.  My question is, if I turn off register_globals, what will
> > happen if any malicious user just try to modify the variable values in
> > the url? Say,
> > 
> > http://www.domain.com/xxx.php?id=3&sex=female
> > 
> > Does it work if user just change the value in the URL directly and send
> > the url directly to web server?
> > 
> > How can we avoid the malicious attack by directly http GET/POST with
> > modified parameter values to make possible system error or compromise?
> > 
> > 
> > -- 
> > Patrick Hsieh <pahud@pahud.net>
> > GPG public key http://pahud.net/pubkeys/pahudatpahud.gpg
> > 
> > 
> > -- 
> > To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> > with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

-- 
Patrick Hsieh <pahud@pahud.net>
GPG public key http://pahud.net/pubkeys/pahudatpahud.gpg


--
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

Follow-Ups:
- Re: register_globals in php4
  - From: Simon Huggins <huggie@earth.li>
- Re: register_globals in php4
  - From: "Christian G. Warden" <cwarden@xerus.org>

References:
- register_globals in php4
  - From: Patrick Hsieh <pahud@pahud.net>
- Re: register_globals in php4
  - From: "Christian G. Warden" <cwarden@xerus.org>

Prev by Date: Re: register_globals in php4
Next by Date: Re: register_globals in php4
Previous by thread: Re: register_globals in php4
Next by thread: Re: register_globals in php4
Index(es):
- Date
- Thread