WebApp Sec mailing list archives
Re: PHP and "Register_Globals"
From: "Chris Travers" <chris () travelamericas com>
Date: Sat, 29 Mar 2003 14:18:02 -0800
My favorite solution is to write a registration module at the beginning of a file (and use include_once) to extract the cookie/session/Get/Post values in whatever order you want to declare. This can be used to override settings which could also cause unexpected behavior in your application. See http://www.php.net/manual/en/function.extract.php for more details on the extract command. You can write such a module to your own specifications. This can also be used to prevent non-standard ordering of registering globals from causing unexpected behavior in your application. Best Wishes, Chris Travers ----- Original Message ----- From: "Ulrich P." <spam () wir-sind org> To: <webappsec () securityfocus com> Sent: Saturday, March 29, 2003 9:57 AM Subject: PHP and "Register_Globals"
hello, newer php-versions have set "register_globals" to "off" by default. i programmed a huge php-project during the last year and didn't start using the global POST and GET-arrays, so if a form contains <input type=text name=age> if use $age in my scripts. I soon realized the security issues, and wrote my own validation-functions, ... to handle all the XSS and SQL-injection
problems.
my question is now: my app is 'safe', but what do I do if my future webhost has register_globals to 'off'? would it be possible to write a script that registers the whole POST-array as single variables? simply as it used to be in 'older' PHP-versions? any ideas welcome :) regards, Ulrich
Current thread:
- PHP and "Register_Globals" Ulrich P. (Mar 29)
- Re: PHP and "Register_Globals" Adrian (Mar 29)
- Re: PHP and "Register_Globals" shimi (Mar 29)
- Re: PHP and "Register_Globals" Jim McGarvey (Mar 29)
- Re: PHP and "Register_Globals" Ulrich P. (Mar 30)
- Re: PHP and "Register_Globals" Jim McGarvey (Mar 30)
- Re: PHP and "Register_Globals" Jim McGarvey (Mar 29)
- Re: PHP and "Register_Globals" Chris Travers (Mar 29)
- Re: PHP and "Register_Globals" Nasir Simbolon (Mar 30)