register_globals Off is not the end of the world

We are getting continues remarks from our hosting users that ‘they cannot work with register_globals Off’.

Register_globals is a way to pass GET & POST variables to a PHP script as normal PHP variables, for instance;

test.php:
echo $test;
?>

test.php?test=hello

would result in

hello

when register_globals is On.

A lot of (older) apps are built on this system as ‘security’ was not a problem before 🙂

Thing is, this is not a security problem per-se, but it invites security issues; if you are not very careful you will introduce them. How? For instance (I actually found this in an open source app… I changed it here to match the same principle in a few lines);

test1.php:
if (!$user) echo “please enter your username”;
else include(‘test2.php’);
?>

test2.php:
if ($user)
mysql_query(“select * from users where user = ‘$user'”);
?>

A malicious user could now do the following;

test2.php?user=’; select * from users;’

or something like that to get all users.

So the preferred way is to make it a bit more difficult for developers so they have to actually think about what they are doing and what variables they are passing; the better way is;

test.php:
echo $_GET[‘test’];
?>

and

test1.php:
$user = $_GET[‘user’];
if (!$user) echo “please enter your username”;
else include(‘test2.php’);
?>

test2.php:
if ($user)
mysql_query(“select * from users where user = ‘$user'”);
?>

executing test2.php as;

test2.php?user=’; select * from users;’

would result in nothing as $user will be empty in test2.php.

Anyway; programmers using ‘the old way’ suck. But to keep the users of your back, you can easily help them by; a) educating them about the dangers b) telling them to rewrite the code. But most cannot or will not. And for them, you can give them this code and pray all will be fine;

foreach($_REQUEST as $k=>$v) $$k=$v;
?>

or;

foreach($_REQUEST as $k=>$v) $$k=$v;
foreach($_COOKIE as $k=>$v) $$k=$v;
?>

Putting this on top of all files (better is one generic header or include file, but even a lot of programs don’t have that….).

It will result in the same idea as register_globals On 🙂

Be the first to leave a comment. Don’t be shy.

Join the Discussion

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>