Board index   FAQ   Search  
Register  Login
Board index php forum :: php coding PHP coding => General

Can't access your variables?? Look here!!!

Ask about general coding issues or problems here.

Moderators: macek, egami, gesf

Did this sticky help?

Yes
5
45%
I knew that already
6
55%
No
0
No votes
 
Total votes : 11

Can't access your variables?? Look here!!!

Postby Jay » Thu Oct 03, 2002 12:12 pm

PHP 4.2.0 (and later) have disabled the register global settings by default, for enhanced security. What does this mean for you?

Instead of accessing your server variables (ie GET,POST,COOKIE,SESSION,SERVER etc) variables directly, or by using the $HTTP_POST_VARS etc arrays, you will have to call them directly from their Super Global Arrays

PHP 4.1.0 introduced SGAs, which is a more secure way of accessing your variables to prevent hacking. Instead of access a 'GET' variable using $getVar or $HTTP_GET_VARS['getVar'] you must now use $_GET['getVar']. There are other such similar SGAs.

Of course if you don't like this approach, you could always go back to the old way. A fuller explanation is provided on the PHP Website
Jay
 

Postby DoppyNL » Thu Oct 03, 2002 1:24 pm

I just voted "I knew that allready", but this sticky post will most definitely help! because a LOT of people have trouble accesing their variables.
So leave it here for a while :) :mrgreen:

Greetz Daan
DoppyNL
 

Postby DutchBen » Thu Oct 24, 2002 12:10 pm

A quick fix to the register global problem, for each super global add the following lines of code

eg.

Code: Select all
 foreach($_GET as $key => $value){

       $$key = $value;

 }


This will make all variables 'visible' again.. of course it also eliminates the extra security which is the reason for this chance in PHP.
DutchBen
New php-forum User
New php-forum User
 
Posts: 36
Joined: Thu Oct 24, 2002 10:28 am
Location: Amsterdam

Postby Jay » Thu Oct 24, 2002 1:14 pm

DutchBen wrote:A quick fix to the register global problem, for each super global add the following lines of code

eg.

Code: Select all
 foreach($_GET as $key => $value){

       $$key = $value;

 }


This will make all variables 'visible' again.. of course it also eliminates the extra security which is the reason for this chance in PHP.

You would also have to do it in a very specific order to maintain the GPC relationship with the variables! I personally don't think it's a good idea, so I won't say what that order is ;)
Jay
 

Postby DutchBen » Fri Oct 25, 2002 10:13 am

I agree, its not pretty and destroys the whole purpose of the superglobals, but it can be a live saver.

Its supposed to be a fix to give you time to properly rewrite your code.

:roll:

This order you speak of... do you mean the EGPCS order? :wink:
DutchBen
New php-forum User
New php-forum User
 
Posts: 36
Joined: Thu Oct 24, 2002 10:28 am
Location: Amsterdam

Postby Jay » Fri Oct 25, 2002 12:55 pm

DutchBen wrote:This order you speak of... do you mean the EGPCS order? :wink:

Yes, but most lay people refer to it as GPC, I believe that's what it shows up in the php.ini file as
Jay
 

Re: Can't access your variables?? Look here!!!

Postby tsapen » Sun Oct 27, 2002 5:06 am

Jay wrote:PHP 4.2.0 (and later) have disabled the register global settings by default, for enhanced security. What does this mean for you?


Could you explain what exact security enhancments this approach gives, please? I don't actually see any improvements. To my mind, script may be secured only with nice coding but not with putting some vars into array. Am I wrong?
tsapen
New php-forum User
New php-forum User
 
Posts: 6
Joined: Sun Oct 13, 2002 1:26 pm

Postby DoppyNL » Sun Oct 27, 2002 5:49 am

An explenation on why to use the Global Arrays and why it is more secure can be found on this page on the php website

Greetz Daan
DoppyNL
 

Re: Can't access your variables?? Look here!!!

Postby Jay » Sun Oct 27, 2002 3:05 pm

tsapen wrote:
Jay wrote:PHP 4.2.0 (and later) have disabled the register global settings by default, for enhanced security. What does this mean for you?


Could you explain what exact security enhancments this approach gives, please? I don't actually see any improvements. To my mind, script may be secured only with nice coding but not with putting some vars into array. Am I wrong?

Well, just to give you an example, let's say you had a secure area of your website. You log people in via a cookie, and then you set a session variable that indicates they are logged in. So what's stopping someone from appending these variables in the url and setting the values like that? The answer is: NOTHING!

However, if you use the SGA, your script will be more secure. By using $_COOKIE['val'] instead of $val you instruct your script to take ONLY the value that's present in the cookie SGA, so anyone who tries page.php?val=var will not be able to get anywhere.

It's not just an array, it's arrays that a produced by PHP to separate all the variables out so you can ascertain exactly which one you want to use!
Jay
 

Re: Can't access your variables?? Look here!!!

Postby tsapen » Mon Oct 28, 2002 1:58 am

Jay wrote:Well, just to give you an example, let's say you had a secure area of your website. You log people in via a cookie, and then you set a session variable that indicates they are logged in. So what's stopping someone from appending these variables in the url and setting the values like that? The answer is: NOTHING!


I think variable initializing stops.
Also I don't think storing such vars in cookies is reasonable. You may store SID there but not "variable that indicates they are logged in".
tsapen
New php-forum User
New php-forum User
 
Posts: 6
Joined: Sun Oct 13, 2002 1:26 pm

Postby Jay » Mon Oct 28, 2002 3:30 am

You're missing the point. The idea is that the variables are clearly separated depending on where they came from. Let me give you another example

If my IP is 62.252.32.44 and I went to this url
http://www.yoursite.com/index.php?REMOT ... .252.47.68
What would the value of $REMOTE_ADDR be in your script? Will it be my true IP, or the fake one on the URL? It'll be the fake one (IIRC), which means anyone can get away with spoofing the variables.

If you use $_SERVER['REMOTE_ADDR'] (which PHP will set up automatically) then you'll know this is the true IP of the user and hasn't been manipulated or altered by them!

That's the idea. And BTW, I never said to store that they're logged in via a cookie. I said log them in via a cookie, and then set the session to store they're logged in (which is the same manner in which this, and many other sites work). This is the best method for enhanced security!
Jay
 

Postby tsapen » Mon Oct 28, 2002 4:02 am

Thank you. I've got the idea.
But this is very strange that php does not redefine such vars with real values :?
tsapen
New php-forum User
New php-forum User
 
Posts: 6
Joined: Sun Oct 13, 2002 1:26 pm

Postby Jay » Mon Oct 28, 2002 7:22 am

tsapen wrote:Thank you. I've got the idea.
But this is very strange that php does not redefine such vars with real values :?

What do you mean?
Jay
 

Postby tsapen » Mon Oct 28, 2002 8:02 am

Jay wrote:
tsapen wrote:Thank you. I've got the idea.
But this is very strange that php does not redefine such vars with real values :?

What do you mean?


I mean that it would be better if PHP overwrite env vars like REMOTE_ADDR with their actual values.

That would be real security impovement :lol:
tsapen
New php-forum User
New php-forum User
 
Posts: 6
Joined: Sun Oct 13, 2002 1:26 pm

Postby DoppyNL » Mon Oct 28, 2002 8:09 am

tsapen wrote:I mean that it would be better if PHP overwrite env vars like REMOTE_ADDR with their actual values.

That would be real security impovement :lol:

No need to overwrite them, the are seperated at the moment, wich in my opinion is even better.
That is, IF you're using the global array's.

The reason that GET, POST, COOKIE, etc variables are still declared as "normal" variables is for backwards compatibility for older scripts.

Also, you can set the order the normal variables are declared in your php.ini file, so that helps a little, but I still find it MUCH safer to use the global arrays.

Greetz Daan
DoppyNL
 


Return to PHP coding => General

Who is online

Users browsing this forum: No registered users and 11 guests

Sponsored by Sitebuilder Web hosting and Traduzioni Italiano Rumeno and antispam for cPanel.