PHP Tutorials

Php What is
Php Syntax
Php Comments
Php Booleans
Php Integers
Php Floating point numbers
Php Strings
Php Variable
Php Identifiers
Php Constants
Php Expressions
Php Operator
Php Control structure
Php Array
Php Functions
Php Null
Php Include
Php Include once
Php Require
Php Require once
Php Predefined Variables
Php Predefined Functions

PHP INI Tutorials

Php ini What is
Php ini Language Options
Php ini Safe Mode
Php ini Miscellaneous
Php ini Resource limits
Php ini Error reporting
Php ini Display errors
Php ini Data Handling
Php ini Magic quotes
Php ini Path and Directorie
Php ini File Uploads
Php ini Fopen wrappers
Php ini Dynamic Extensions
 PHP Ini Data Handling List

php ini register_globals

You may want to turn this off if you don't want to clutter your scripts' global scope with user data. This makes most sense when coupled with track_vars - in which case you can access all of the GPC variables through the $HTTP_*_VARS[], variables.

You should do your best to write your scripts so that they do not require register_globals to be on; Using form variables as globals can easily lead to possible security problems, if the code is not very well thought of.

register_globals = Off

All external variables were automatically registered in the global scope. That is, any incoming variable of the types COOKIE, ENVIRONMENT, GET, POST, and SERVER were made available globally. Because they were available globally, they were also globally modifiable. Although this might seem convenient to some people, it also introduced a security deficiency because variables intended to be managed solely by using a cookie could also potentially be modified via the URL.

For example, suppose that a session identifier uniquely identifying the user is communicated across pages via a cookie. Nobody but that user should see the data that is ultimately mapped to the user identified by that session identifier. A user could open the cookie, copy the session identifier, and paste it onto the end of the URL, like this:

http://www.example.com/secretdata.php?sessionid=4x5bh5H793adK

The user could then e-mail this link to some other user. If there are no other security restrictions in place (e.g., IP identification), this second user will be able to see the otherwise confidential data.

Disabling the register_globals directive prevents such behavior from occurring. While these external variables remain in the global scope, each must be referred to in conjunction with its type. For example, the sessionid variable in the previous example would instead be referred to solely as the following:

$_COOKIE['sessionid']

Any attempt to modify this parameter using any other means (e.g., GET or POST) causes a new variable in the global scope of that means ($_GET['sessionid'] or $_POST['sessionid']).

Although disabling register_globals is unequivocally a good idea, it isn't the only factor you should keep in mind when you secure an application.

 PHP Ini Data Handling List




Content