PHP Security - Register Globals

26-Feb-08

The register globals directive has been disabled by default since PHP versions 4.2.0, let say if you are using PHP version 5.2.5, then most probably in your php.ini the variable for register_globals is set to OFF. By the way, this feature will be deprecated and removed for the future release of PHP version 6. Relying on this feature is highly discouraged.

Actually this feature does not posts any security vulnerability to PHP at all, but if PHP programmer misused it, it will create security risk to the web application.

When it is on, register_globals will inject all sorts of variables into your scripts, programmer uses variables not knowing where they came from, example request variables from HTML form. Since PHP does not required programmer to initialize variables, it make it easier to write insecure code. Let used a simple code, to make my point clearer:

<?php
 
function authenticate_user($username, $password) {
 
	// make a connection to the database to verify if
	// the username and password is in users table
	$sql="SELECT * FROM users WHERE username='$username' and password='$password'";
	$result=mysql_query($sql);
	...
	...
 
	return $authorized_user; // return TRUE if the user exists
 
}
 
if (authenticate_user("kelvin", "xxxxx")) {
	$authorized = TRUE;
}
 
if ($authorized) {
 	include "/very/important/data.php";
}
 
?>

With register_globals enabled, the page data.php can be access whitout authentication, all I need to do is request the page with ?authorized=1 in the query string. So you can see that the security vulnerability is the fault of the developer not PHP itself. So how to solved the problem with register_globals on? Simple, we just have to initialize variable $authorized=FALSE at the top of the code in our example above.

So to write a secure PHP code initialize every variables, or disable the register_globals. The second method is lot easier!

Filed in php, security | Permalink | Comments (0) »

PHP by example - How to write string to the file stream

25-Feb-08

Last week, I have a customer asked me on how to save a long XML string into a text file and put it into temporary directory, so that it can be attached into mail as an attachment. My answer is to use PHP function fwrite. fwrite writes the contents of string to the file stream pointed to by handle. Following is the example :

<?php
 
$filename = "file.txt"; // file
$content = "<xml><name>kelvin</name></xml>" // content
 
if (!$file = fopen($filename, "w")) { // open the file for write
 	echo "Cannot open file ($filename).";
 	exit;
}
 
if (fwrite($file, $content) === "FALSE") { // write content to the file
 	echo "Cannot write to file ($filename).";
 	exit;
}
 
echo "Successfully wrote ($content) to the file ($filename)";
 
fclose($file); // close the file handle
 
?>

Job done!

Filed in php | Permalink | Comments (0) »

Fedora Linux - Disable the system “beep” sound

24-Feb-08

I’m using Dell Inspiron 640m with Fedora installed. Every night, when I boot up my notebook, a loud beep will wake up my neighbors at the login screen and every time I make a mistake with the command I type in. I also found out that, Ubuntu users do face the same problem as well.

If you find the beep to be annoying, and let’s face it, it is very annoying!, you can disable it with a simple command and be system beep free.

How do I disable the system beep?
Execute the following commands in your terminal window :

su -l
rmmod pcspkr

How do I enable the system beep again?
Execute the following commands in your terminal window :

su -l
modprobe pcspkr

How do I permanently disable the system beep?
Execute the following commands in your terminal window :

su -l
echo "rmmod pcspkr" >> /etc/modprobe.conf

What is the best way to disable the system beep?
Execute the following commands in your terminal window :

su -l
echo "blacklist pcspkr" >> /etc/modprobe.d/blacklist

Filed in fedora, linux | Permalink | Comments (1) »

« Older posts
Home