Learning PHP, MySQL, and JavaScript by Robin Nixon

Author:Robin Nixon [Robin Nixon]
Language: eng
Format: epub, pdf
Tags: COMPUTERS / Web / Web Programming
ISBN: 9780596804763
Publisher: O'Reilly Media
Published: 2009-07-02T16:00:00+00:00

register_globals: An Old Solution Hangs On

Before security became such a big issue, the default behavior of PHP was to assign the $_POST and $_GET arrays directly to PHP variables. For example, there would be no need to use the instruction $name=$_POST['name']; because $name would already be given that value automatically by PHP at the program start!

Initially (prior to version 4.2.0 of PHP), this seemed a very useful idea that saved a lot of extra code-writing, but this practice has now been discontinued and the feature is disabled by default. Should you find register_globals enabled on a production web server for which you are developing, you should urgently ask your server administrator to disable it.

So why disable register_globals? It enables anyone to enter a GET input on the tail of a URL, like this: http://myserver.com?override=1, and if your code were ever to use the variable $override and you forgot to initialize it (for example, through $override=0;), the program could be compromised by such an exploit.

In fact, because many installations on the Web remain with this gaping hole, I advise you to always initialize every variable you use, just in case your code will ever run on such a system. Initialization is also good programming practice, because you can comment each initialization to remind yourself and other programmers what a variable is for.

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.