[Wolves] PHP global variables

James Turner james at turnersoft.co.uk
Tue Sep 6 19:14:06 BST 2005


On Tuesday 06 Sep 2005 15:34, Stuart Langridge wrote:
> > How important is the 'security issue' with global variables in php?
> > I've just realised that over half my scripts still rely on globals=on
> > (having 'broke' them with a php re-install before I remembered
> > to tujrn globals back on).
> >
> > Is it really worth the effort of re-writing scripts to sort this out?
>
> Depends. If you're using any variables anywhere without having first
> initialised them to a known value, and relying on PHP having
> initialised them to zero or the empty string, then anyone can break
> your code by explicitly specifying that variable in the URL even
> though you weren't expecting them to. This is conceivably a very big
> problem, but it depends on your code.
> 
> Aq.

Agreed... it depends.

What is the "cost" (time, etc) associated with editing the affected scripts? 
What sort of data do the scripts handle and what would be the potential cost 
of a security breach?

Where you are retrieving data from the HTTP query string or posted form data, 
you would have to use something like this to "retrieve" each variable with 
register globals turned off:


if(!empty($_GET["stupid_variable"]))
        $stupid_variable = $_GET["stupid_variable"];
else
        $stupid_variable = "";		// value to use if empty/missing


Depending on the type of application and risk level involved you would follow 
this with further checks on the data type and value to confirm that it is 
acceptable.

Regards,

James



More information about the Wolves mailing list