Perhaps the most controversial change in PHP is when the default value for the PHP directive register_globals went from ON to OFF in PHP 4.2.0. Reliance on this directive was quite common and many people didn't even know it existed and assumed it's just how PHP works. This page will explain how one can write insecure code with this directive but keep in mind that the directive itself isn't insecure but rather it's the misuse of it.
When on, register_globals will inject your scripts with all sorts of variables, like request variables from HTML forms. This coupled with the fact that PHP doesn't require variable initialization means writing insecure code is that much easier. It was a difficult decision, but the PHP community decided to disable this directive by default. When on, people use variables yet really don't know for sure where they come from and can only assume. Internal variables that are defined in the script itself get mixed up with request data sent by users and disabling register_globals changes this. Let's demonstrate with an example misuse of register_globals.
When "register globals" in ON when you access the value by their name e.g. index.php?name=sandeep
<?php echo $name; //display the sandeep ?>
When "register globals" in OFF when you cann't access the value by their name e.g. index.php?name=data
when you
<?php echo $name; //$name not found ?>
You can turn off register glabal from php.ini (add the ; as below)
;register_globals = Off
More study: php.net/manual/en/security.globals.php
When on, register_globals will inject your scripts with all sorts of variables, like request variables from HTML forms. This coupled with the fact that PHP doesn't require variable initialization means writing insecure code is that much easier. It was a difficult decision, but the PHP community decided to disable this directive by default. When on, people use variables yet really don't know for sure where they come from and can only assume. Internal variables that are defined in the script itself get mixed up with request data sent by users and disabling register_globals changes this. Let's demonstrate with an example misuse of register_globals.
for understand "register globals" take an example
When "register globals" in ON when you access the value by their name e.g. index.php?name=sandeep
<?php echo $name; //display the sandeep ?>
When "register globals" in OFF when you cann't access the value by their name e.g. index.php?name=data
when you
<?php echo $name; //$name not found ?>
in php5.3, by default register globals is off
You can turn off register glabal from php.ini (add the ; as below)
;register_globals = Off
More study: php.net/manual/en/security.globals.php
0 Comment:
Post a Comment