WebApp Sec mailing list archives
Re: PHP and "Register_Globals"
From: Adrian <adrian () planetcoding net>
Date: Sat, 29 Mar 2003 19:32:40 +0100
You should put the following code in your scripts: ___________________ if(isset($_REQUEST['varname'])) $varname=$_REQUEST['varname']; else $varname='defalut_value'; ___________________ But so this only for variables which may be a user input! Then your program is "register_globals off"-compatible and safe. ------------------------
hello,
newer php-versions have set "register_globals" to "off" by default. i programmed a huge php-project during the last year and didn't start using the global POST and GET-arrays, so if a form contains <input
type=text name=age>> if use $age in my scripts.
I soon realized the security issues, and wrote my own validation-functions, ... to handle all the XSS and SQL-injection problems.
my question is now: my app is 'safe', but what do I do if my future webhost has register_globals to 'off'?
would it be possible to write a script that registers the whole POST-array as single variables? simply as it used to be in 'older' PHP-versions?
any ideas welcome :)
regards,
Ulrich
------------------------ -- Adrian mailto:adrian () planetcoding net mailto:thiefmaster () woltlab de www: http://www.planetcoding.net www: http://webskyline.planetcoding.net
Current thread:
- PHP and "Register_Globals" Ulrich P. (Mar 29)
- Re: PHP and "Register_Globals" Adrian (Mar 29)
- Re: PHP and "Register_Globals" shimi (Mar 29)
- Re: PHP and "Register_Globals" Jim McGarvey (Mar 29)
- Re: PHP and "Register_Globals" Ulrich P. (Mar 30)
- Re: PHP and "Register_Globals" Jim McGarvey (Mar 30)
- Re: PHP and "Register_Globals" Jim McGarvey (Mar 29)
- Re: PHP and "Register_Globals" Chris Travers (Mar 29)
- Re: PHP and "Register_Globals" Nasir Simbolon (Mar 30)