We have already briefly looked at how setting the register_globals variable in your php.ini makes a big difference to the security of your site. By default, register_globals is disabled - you need to use the superglobal arrays $_GET, $_POST, etc, to get the contents of forms you receive. It is strongly recommended you leave register_globals set to off and use the superglobals - doing otherwise leaves you wide open to attack.
The "security through obscurity" thinking of "if no one knows what variables I use, they will not be able to set them themselves" is not worth risking - never trust user data, particularly when working with a database. For example, consider this query:
UPDATE $table SET ReadCount = ReadCount + 1 WHERE MessageID = $MID;
That is an example query for a mythical messageboard that tracks how many times a message has been read. Each time a message is loaded, that query is executed to increment its "ReadCount" number. The $table and $MID parts would be substituted by PHP to be the name of the messageboard table and the current message ID being viewed.
Now, what would happen if a malicious user passed in $table like this:
mypage.php?table=admin SET Password = 'foo';#
The SQL statement would now look like this:
UPDATE admin SET Password = 'foo';# SET ReadCount = ReadCount + 1 WHERE MessageID = $MID;
As you know, # is an SQL comment, which means that everything after the # is ignored, leaving the query as this:
UPDATE admin SET Password = 'foo';
This malicious visitor just set the password of all administrators to "foo"! The way in from there is a cinch, and soon they have complete control over the web site - this hack is commonly referred to as SQL injection.
You are probably sick of reading this, but I will try to make it the last time: do not trust user data!
Next chapter: Choose your file extension carefully >>
Previous chapter: Programming secure PHP
Home: Table of Contents