Jump to content

Register Globals


astralaaron
 Share

Recommended Posts

Hi I have to make additions to a custom admin that was made awhile ago. The program uses register_globals.There are some registration forms that are passing variables like this:----------------- registration.php ---------------<input name="address" type="text" value="abc" />----------------- formhandler.php ---------------echo $address; ___________________________________________in other words not using POST or GET. They also are not escaping quotes when entering into the database. Would re-writing them as $_POST make any sense? Or should I just skip that and make the data safe going into the database?I am not sure what vulnerability register_globals is besides those variable names being a problem. hope someone can clear up the confusion

Edited by astralaaron
Link to comment
Share on other sites

The script relies on register globals and magic quotes. Use this function to normalize that, regardless of the setting of magic quotes this function will get a value from either $_GET or $_POST ($_POST takes priority), and strip slashes if necessary. So the end result is that you get your value and it is not escaped, you need to do the escaping yourself, on any system regardless of the magic quotes setting.

function form_var($var, $default = ''){  $retval = $default;  if (isset($_POST[$var]))	$retval = $_POST[$var];  elseif (isset($_GET[$var]))	$retval = $_GET[$var];  if (is_array($retval))  {	foreach ($retval as $k => $v)	{	  $retval[$k] = trim($v);	  if (get_magic_quotes_gpc())		$retval[$k] = stripslashes($v);	}  }  else  {	$retval = trim($retval);	if (get_magic_quotes_gpc())	  $retval = stripslashes($retval);  }  return $retval;}

$address = form_var('address');The problem isn't that register_globals might introduce a vulnerability, which it could, but the main problem is that the code will not work on certain servers because it relies on certain settings.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...