[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: register_globals in php4

you must write your application safely.  it sounds like you're trying to
prevent a user from changing their userid.  after they log in, you could
create a session variable with their userid and only use that session
variable.  i still use register_globals=on with my code, but i have the
following code that gets included on every page:
if(!session_is_registered('userid') {
	unset($userid);
}
and in my login function, after username and password are verified, i
put the userid in $userid and session_register('userid');
this allows me to always trust that $userid matches the userid of the
authenticated user.
here's an article on secure programming in php:
http://www.zend.com/zend/art/art-oertli.php

xn

On Fri, May 10, 2002 at 01:11:41AM +0800, Patrick Hsieh wrote:
> Hello "Christian G. Warden" <cwarden@xerus.org>,
> 
> Yes. But when a user type the url something like login.php?id=fakeid
> Then $HTTP_GET_VARS['id'] and $_GET['id'] will also get "fakeid", right?
> How do I avoid users affecting the system by changing the variable
> values in the URL directly? If not, is there any way to protect myself
> from malicious url injection attack?
> 
> 
> 
> 
> 
> On Thu, 9 May 2002 09:51:02 -0700
> "Christian G. Warden" <cwarden@xerus.org> wrote:
> 
> > one of the php lists is probably a better forum for this question, but
> > in short, register_globals=off means that if you want to use the "id"
> > variable passed in the query string by the browser, you would access it as
> > $HTTP_GET_VARS['id'], or $_GET['id'] in 4.1+, rather than $id.  more info
> > at http://www.php.net/manual/en/language.variables.predefined.php
> > 
> > xn
> > 
> > On Fri, May 10, 2002 at 12:09:22AM +0800, Patrick Hsieh wrote:
> > > Hello list,
> > > 
> > > php4.1 recommends to set register_globals=off in php.ini to make php
> > > more strict.  My question is, if I turn off register_globals, what will
> > > happen if any malicious user just try to modify the variable values in
> > > the url? Say,
> > > 
> > > http://www.domain.com/xxx.php?id=3&sex=female
> > > 
> > > Does it work if user just change the value in the URL directly and send
> > > the url directly to web server?
> > > 
> > > How can we avoid the malicious attack by directly http GET/POST with
> > > modified parameter values to make possible system error or compromise?
> > > 
> > > 
> > > -- 
> > > Patrick Hsieh <pahud@pahud.net>
> > > GPG public key http://pahud.net/pubkeys/pahudatpahud.gpg
> > > 
> > > 
> > > -- 
> > > To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> > > with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> > 
> > 
> > -- 
> > To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> > with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> 
> -- 
> Patrick Hsieh <pahud@pahud.net>
> GPG public key http://pahud.net/pubkeys/pahudatpahud.gpg


-- 
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: