PHP Security - Register Globals
The register globals directive has been disabled by default since PHP versions 4.2.0, let say if you are using PHP version 5.2.5, then most probably in your php.ini the variable for register_globals is set to OFF. By the way, this feature will be deprecated and removed for the future release of PHP version 6. Relying on this feature is highly discouraged.
Actually this feature does not posts any security vulnerability to PHP at all, but if PHP programmer misused it, it will create security risk to the web application.
When it is on, register_globals will inject all sorts of variables into your scripts, programmer uses variables not knowing where they came from, example request variables from HTML form. Since PHP does not required programmer to initialize variables, it make it easier to write insecure code. Let used a simple code, to make my point clearer:
<?php function authenticate_user($username, $password) { // make a connection to the database to verify if // the username and password is in users table $sql="SELECT * FROM users WHERE username='$username' and password='$password'"; $result=mysql_query($sql); ... ... return $authorized_user; // return TRUE if the user exists } if (authenticate_user("kelvin", "xxxxx")) { $authorized = TRUE; } if ($authorized) { include "/very/important/data.php"; } ?>
With register_globals enabled, the page data.php can be access whitout authentication, all I need to do is request the page with ?authorized=1 in the query string. So you can see that the security vulnerability is the fault of the developer not PHP itself. So how to solved the problem with register_globals on? Simple, we just have to initialize variable $authorized=FALSE at the top of the code in our example above.
So to write a secure PHP code initialize every variables, or disable the register_globals. The second method is lot easier!
Post a Comment