4.2.0 and register_globals

Anon

I have been doing a lot of reading about security since the release of 4.2.0 and I still don't quite understand why having register_globals="off" is any more secure. If your code accesses and user input thru $POST, $GET, etc. then it is still possible for someone to pass variables that can compromise security regadless of your register_globals state.

If you write:

if ($auth) {...come on in...}
else {...go away...}

someone can goto the URL:
www.whatever.com/index.php?auth=1

This would still be insecure if even with register_globals="off" and you were forced to write:

if ($_GET['auth']) {...come on in...}
else {...go away...}

Even if you used $POST['auth'] instead, anyone could build their own HTML form and plug your URL in the "action" tag to submit $POST data.

I realize that this is an oversimplified example but you get the idea. Am I missing something obvious here? Why is the new version of PHP any more secure?

Anon

Consider this:

Values that are supposed to be passed from user:
username and password

Now, consider this code (with register_globals on):

if ($username == "me" && $password == "this") {
$authorized = true;
}

if ($authorized) {
print "secret info!! Confidential";
}

Now, if the user has knowledge about the script, he/she can pass authorized as the parameter, as in:
script.php?authorized=1

and even without username and password, the script would print out secret information!!

But now consider this code (with register globals off):

if ($POST['username'] == "me" && $POST['password'] == "this") {
$authorized = true;
}

if ($authorized) {
print "secret info!! Confidential";
}

Now, even if the user said
script.php?authorized=1,
register_globals is not on, therefore $authorized will be undefined and secret info won't be printed!

Hope this helps,

Diego

Anon

I see your point Diego,
Many sites I have looked at say that to emulate register_globals=on you can use the extract() function on $GET, $POST or the import_request_variables() function but it seems to me that this just reintroduces the same security problem.