jherzog Posted January 16, 2006 Share Posted January 16, 2006 I am suffering a php problem the I don't quite understand and was hoping some one could clearify it for me.Many of the pages in a site receive a variable via the URL (GET method) (ie. www.url.com?variablename=variablevalue). But these pages do not contain specific code to retrieve these variables (ie. $pagevar = $_GET['variablename']. Regardless of not having this specific retrieval code all the pages worked jsut fine and now do not. Something must have changed at my hosting company. I think this has to do with the issue call globals or superglobals but I don't understand exactly. Any idea what changed, and if there is a helpful solution? This site is large and it would be extensive to identify and edit everypage that retrieves a variable but is missing that code. More general I would just like to know more about this issue. Thank you for your help.Jed Link to comment Share on other sites More sharing options...
DeathRay2K Posted January 17, 2006 Share Posted January 17, 2006 I believe that would be register globals. Its disabled in newer versions of PHP by default, as it allowed easy access to sensitive material (ie. passwords) on badly scripted websites. You can reenable it if you wish in php.ini, but I'd advise against it. Link to comment Share on other sites More sharing options...
jherzog Posted January 17, 2006 Author Share Posted January 17, 2006 I believe that would be register globals. Its disabled in newer versions of PHP by default, as it allowed easy access to sensitive material (ie. passwords) on badly scripted websites. You can reenable it if you wish in php.ini, but I'd advise against it.<{POST_SNAPBACK}> Yeah that is what I have been reading. Thank you.Now I have the task of adding the code to all the pages that receive variables. A problem is that this site is extensive and I did not write the code. Therefore I am not sure which pages are receiving variables nor what those variable’s names are. It is going to take a lot of combing to confidently find all those instances. Is there a catch all PHP command that retrieves any sent variables. Since I am having a hard time wording my question let me say it a different way.Is there a php command I could put at the beginning of most of my pages that would retrieve all GET or POST variables that have been sent to it? Hence avoiding the need to writing out $varname = $_GET['varname']; for every variable. Thanks for any help Link to comment Share on other sites More sharing options...
jherzog Posted January 17, 2006 Author Share Posted January 17, 2006 Does anyone know of a good article that explains the security risks of using register globals in laymen terms. I need to understand more and be able to explain it to those people who don't have coding knowledge. Thanks again for your help.Jed Link to comment Share on other sites More sharing options...
zanfranceschi Posted January 19, 2006 Share Posted January 19, 2006 About this:"Is there a php command I could put at the beginning of most of my pages that would retrieve all GET or POST variables that have been sent to it? Hence avoiding the need to writing out $varname = $_GET['varname']; for every variable."I use this:$variables = array('variable01', 'variable02', 'variable03', 'variable03'); // just put all variables (without the "$" sign in front) you want inside this array...foreach($variables as $variable) ${$variable} = $_GET['$variable'];To make things even easier, write this into a separeted file and 'include()' it in the beginning of your pages...Hope it helps. Link to comment Share on other sites More sharing options...
DeathRay2K Posted January 21, 2006 Share Posted January 21, 2006 Well if you're going to do that you may as well enable Register Globals. The security risk is quite simple.Take this piece of code as an example: <?php$password="snicklefritz";if($foo == $password)include("sensitivedata.inc");else{?><html><head> <title>Log In</title></head><body> <form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="Get"> <input type="text" name="foo" /> <input type="submit" /> </form></body></html><?php}?> Obviously this is highly simplified, but this could have been avoided by using $_GET, or even using Post instead altogether.This exploit could also be used to view, modify, and/or delete files like .htaccess, and other such files. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now