WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: PHP and "Register_Globals"

From: Adrian <adrian () planetcoding net>
Date: Sat, 29 Mar 2003 19:32:40 +0100
You should put the following code in your scripts:
___________________
if(isset($_REQUEST['varname'])) $varname=$_REQUEST['varname'];
else $varname='defalut_value';
___________________

But so this only for variables which may be a user input!

Then your program is "register_globals off"-compatible and safe.

------------------------

hello,



newer php-versions have set "register_globals" to "off" by default. i 
programmed a huge php-project during the last year and didn't start 
using the global POST and GET-arrays, so if a form contains <input 

type=text name=age>> if use $age in my scripts.


I soon realized the security issues, and wrote my own 
validation-functions, ... to handle all the XSS and SQL-injection problems.



my question is now: my app is 'safe', but what do I do if my future 
webhost has register_globals to 'off'?



would it be possible to write a script that registers the whole 
POST-array as single variables? simply as it used to be in 'older' 
PHP-versions?



any ideas welcome :)




regards,



Ulrich


------------------------
-- 
Adrian
mailto:adrian () planetcoding net
mailto:thiefmaster () woltlab de
www: http://www.planetcoding.net
www: http://webskyline.planetcoding.net
Previous By Date Next
Previous By Thread Next

Current thread: