I just came across this in a security journal and wasn't sure what to make of it:

Set the "variables_order" variable of the PHP configuration. The default setting, "EGPCS" means that the environment, the GET parameters, the POST parameters, the cookies, and the server information are all turned into global variables when a script executes. Allowing GET requests, POST requests, and cookies from the browser to do so is dangerous. Instead, consider setting "variables_order" to "ES".

I couldn't track down the author of this article, so I'm asking everone here. Can anyone explain why this recommendation was made? Is it important and what does it mean? Thanks!

[man]register_globals[/man] being off (which is default for some time now) takes care of this problem.

a long time ago in php, say i have a variable in my script called $isAdmin. The person could easily change the value of this by calling myscript.php?isAdmin=1. With no register_globals, the get variable, is made global (it is called $isAdmin) inside my program. the problem with that is if i dont initialize the variable in some cases, they may be able to make themselves admin by doing that.

with register_globals on, myscript.php?isAdmin=1 would not make $isAdmin, but it would make $GET['isAdmin']. Similarly with post, you have $POST['isAdmin']. This helps secure applications because if I do use a variable called $isAdmin in my script, and they try putting that in the url, I now have two variables $isAdmin and $GET['isAdmin'] which are two different things, so
if ($isAdmin == 1) { //show admin interface
would not work if they passed it in the url via get, because $GET['isAdmin'] is a separate variable from $isAdmin.

Cool. So I would want to have register_globals set to 'off' for both the local and master values, right? I've also been reading that I should create short variable names for form variables that are being passed. Like for a form element called 'isAdmin', I would do the following:

$isAdmin = $_POST['isAdmin'];

Is this something that everyone does?

yeah, programming with register globals off is good practice because it will make your code portable and more secure. also, remember if you are dealing with outside values, such as post or get and even cookie stuff, be sure to sanitize it with functions like [man]addslashes[/man] and if it goes in the database [man]mysql_real_escape_string[/man]

using short variables is common, as long as you remember where they came from.

Thanks. As for the mysql_real_escape_string() function, I'm already planning on using the following functions to check and sanitize my user inputted variables: isset(), is_string(), trim(), strip_tags(), htmlspecialchars(), and ereg().

Are those enough, or should I still use mysql_real_escape_string()? Also, do I need to specifically strip out characters like: ;, &, |, <, and >, or will strip_tags() do that for me?

the thing that mysql_real_escape_string does is escape any characters that could cause errors on inserts (such as ' " \ \0 etc) which not only helps prevent sql injections, but also keeps you from having errors when you go to add data.

the characters you mention above shouldnt have any problem going into a database. strip tags wont remove those but htmlspecialchars will convert the & < > to their html counterparts.

I always like to clean very aggressively all user input, just to be on the safe side. A lot of the time data from a user is alphanumeric and so I tend to strip out everything except a-z and 0-9 using a very simple function I wrote that uses a regular expression.

It might be a bit OTT considering that I'll use strip_tags() and mysql_real_escape_string() as well, but hey, it's better to be safe that sorry!

Here's a quick follow-up question. Does mysql_real_escape_string() and addslashes() accomplish the same thing? Should I only be using one or the other?

they are similar, addslashes escapes ', ", \ and null mysql_real_escape_string takes into consideration your charset of the db, and also escapes the same things as addslashes plus \n \r and \x1a

Hmmm, so I guess using both addslashes() and mysql_real_escape_string() would be redundant then? Actually, more than redundant, it would be wrong to use both because it would add an extra set of slashes, right?

I guess I'll just stick with mysql_real_escape_string() as it seems to escape a larger number of potentially problematic characters.

yeah if you are going to store the data in a mysql database mysql_real_escape_string is the way to go.

Cool. Yeah, I'm basically making a real estate listing site geared toward a specific market. I have a form for gathering info for a listing (person's name, location of listing, asking price, description, etc.) which I need to sanitize and then add to a MySQL db. Then on the flip side, I have another form used to search the real estate listings and then display the results.

Yeah, I had never even heard of the mysql_real_escape_string() function. I always keep reading about addslashes() and stripslashes(). Thanks for the tip.