Using Register Globals

One feature of PHP that can be used to enhance security is configuring PHP with register_globals = off. By turning off the ability for any user-submitted variable to be injected into PHP code, you can restrict the amount of variable poisoning a potential attacker may inflict.

While it does slightly increase the amount of effort required to work with PHP, it has been argued that the benefits far outweigh the effort.

Example 4-8. Working without register_globals=off


<?php
if ($username) {  // can be forged by a user in get/post/cookies
    $good_login = 1; 
}

if ($good_login == 1) { // can be forged by a user in get/post/cookies,
    fpassthru ("/highly/sensitive/data/index.html");
}
?>
     

Example 4-9. Working with register_globals = off


<?php
if($HTTP_COOKIE_VARS["username"]){  // can only come from a cookie
    $good_login = 1; // cannot be forged by a user
    fpassthru ("/highly/sensitive/data/index.html");
}
?>
     
By using this wisely, it's even possible to take preventative measures to warn when forging is being attempted. If you know ahead of time exactly where a variable should be coming from, you can check to see if submitted data is inappropriate.

Example 4-10. Detecting variable poisoning


<?php
if ($HTTP_COOKIE_VARS["username"] &&
    !$HTTP_POST_VARS["username"] &&
    !$HTTP_GET_VARS["username"] ) { 
    $good_login = 1;
    fpassthru ("/highly/sensitive/data/index.html");
} else {
   mail("admin@example.com", "Possible breakin attempt", "$REMOTE_IP_ADDR");
   echo "Security violation, admin has been alerted.";
   exit;
}
?>