Security Question

donnierivera

What are the most common pit falls with PHP’s security? I have read about turning of Global Variables off, but don’t remember why. Is there a way to turn them off in the code or just in the php.ini file? Any comments would be greatly appreciated… Thank you…

k_jazz

By turning off the ability for any user-submitted variable to be injected into PHP code, you can reduce the amount of variable poisoning a potential attacker may inflict.

They will have to take the additional time to forge submissions, and your internal variables are effectively isolated from user submitted data.

The same stuff you may do with

track_vars=off

If enabled, then Environment, GET, POST, Cookie, and Server variables can be found in the global associative arrays $ENV, $GET, $POST, $COOKIE, and $_SERVER.

In PHP 4.0.3 track_vars is always turned on.

<b>All this things to prevent when kids are trying to hack your website</b>

merkinmuffley

the reason that the PHP folks turned register_globals off is that most PHP coders don't initialize their variables by habit, and that turns into a security risk if somebody sends those variables in a request. the usual example is a login script that authenticates a submitted username/password:

// with register_globals on, $username and $password get 
// created from the request
if ($username && $password)
{
    $authOK = myUserAuthFunction($username, $password);
}

if ($authOK)
{
    // Show user some sensitive content
}

oops-- if somebody called this script with scriptname?authOK=1 they could get past the user authentication, since I didn't initialize $authOK to false. on the other hand, if register_globals were off, then users couldn't create the $authOK variable with that technique.

k_jazz

It looks like
1. check if login and password were submited by POST method
2. what page do they come from..

this thing prevents from teenage hackers who do not know
about telnet

recompiler

gee whiz, you're protecting yourself from teenage hackers who don't know about telnet. I guess you can teach everyone a thing or two.
It seems I have been on the wrong path all along when I used https for logis, used and enforcde strong password policies, used strong sesion IDs and only allow a limited number of login attempts, and had a time interval between log in atempts.

Anyone thats ever done any real testing on their code knows that injecting http referers is easealy accomplished, same goes for variable data injection coughatstakeproxycough.

Vlad G.

merkinmuffley

gotta agree there... the whole "you ought to code with register_globals off" thing seems like a weak cop-out to me... it's just as easy to write secure code with register_globals on, as long as you follow normal coding practices like (duh) initializing variables.

just because PHP lets you get lazy, doesn't mean you should.

donnierivera

Thanks for the imput... 🙂