Variables problem

**micha** · Jul 17 '05, 12:44 PM

Re: Variables problem

could be a register_global s problem

if register_global s is off now, ?st=100 will not be registered
automatically as $st=100 anymore.

instead it will be accessible through the $_POST array as $_POST['st'].

if that is the problem, rather change your scripts than switch on
register_global s, because register_global s off is a good thing to have
(security wise).

micha

**Micha³ Wo¼niak** · Jul 17 '05, 12:44 PM

Re: Variables problem

One quick glance of an experienced eye allowed to understand the blurred
and almost unreadable micha's handwriting:
[color=blue]
> could be a register_global s problem
>
> if register_global s is off now, ?st=100 will not be registered
> automatically as $st=100 anymore.
>
> instead it will be accessible through the $_POST array as $_POST['st'].[/color]

Nope, it'll be the $_GET array and $_GET['st']. :)
[color=blue]
> if that is the problem, rather change your scripts than switch on
> register_global s, because register_global s off is a good thing to have
> (security wise).[/color]

Agreed. Imagine you are using a global variable called "admin" set to
false unles a proper admin authorization occurs... Now, when you have
register_global s set to "on", you'll get this global var in the $admin
var AND ?anything=whate ver will give you a global var $anything with
value "whatever".
Now imagine somebody doing this:

?admin=true

You will get the $admin var with "true" as value - but without any
authentication. ..
When register globals is off, you'll get your global var as
$GLOBALS['admin'] and the var from the address as $_GET['admin'] - no
security risk here. :)

Cheers
Mike

**micha** · Jul 17 '05, 12:44 PM

Re: Variables problem

yes, the $_GET array. sorry.

micha

**Daniel Tryba** · Jul 17 '05, 12:44 PM

Re: Variables problem

Micha? Wo?niak <mikiwoz_remove _this@yahoo_rem ove_this.co.uk> wrote:[color=blue]
> Agreed. Imagine you are using a global variable called "admin" set to
> false unles a proper admin authorization occurs...[/color]

Something like:

$admin=authetic ate();
[color=blue]
> Now, when you have register_global s set to "on", you'll get this
> global var in the $admin var AND ?anything=whate ver will give you a
> global var $anything with value "whatever". Now imagine somebody
> doing this:
>
> ?admin=true
>
> You will get the $admin var with "true" as value - but without any
> authentication. ..[/color]

Nope, doens't change anything in the sample code above.

register_global s doens't protect from using uninitialized variables
at all.

You'd be right if the programmer was stupid enough to authenticate like:

if(authticate() )
{
$admin=true;
}

But that would be caught by the proper error level reporting setting
during development.

Variables problem

Variables problem

Comment

Comment

Comment

Comment