register_globals

We have already briefly looked at how setting the register_globals variable in your php.ini makes a big difference to the security of your site. By default, register_globals is disabled - you need to use the superglobal arrays $_GET, $_POST, etc, to get the contents of forms you receive. It is strongly recommended you leave register_globals set to off and use the superglobals - doing otherwise leaves you wide open to attack.

The "security through obscurity" thinking of "if no one knows what variables I use, they will not be able to set them themselves" is not worth risking - never trust user data, particularly when working with a database. For example, consider this query:

UPDATE $table SET ReadCount = ReadCount + 1 WHERE MessageID = $MID;

That is an example query for a mythical messageboard that tracks how many times a message has been read. Each time a message is loaded, that query is executed to increment its "ReadCount" number. The $table and $MID parts would be substituted by PHP to be the name of the messageboard table and the current message ID being viewed.

Now, what would happen if a malicious user passed in $table like this:

mypage.php?table=admin SET Password = 'foo';#

The SQL statement would now look like this:

UPDATE admin SET Password = 'foo';# SET ReadCount = ReadCount + 1 WHERE MessageID = $MID;

As you know, # is an SQL comment, which means that everything after the # is ignored, leaving the query as this:

UPDATE admin SET Password = 'foo';

This malicious visitor just set the password of all administrators to "foo"! The way in from there is a cinch, and soon they have complete control over the web site - this hack is commonly referred to as SQL injection.

You are probably sick of reading this, but I will try to make it the last time: do not trust user data!

 

Next chapter: Choose your file extension carefully >>

Previous chapter: Programming secure PHP

Jump to:

 

Home: Table of Contents

Follow us on Identi.ca or Twitter

Username:   Password:
Create Account | About TuxRadar