I know this has nothing to do with WSN Links and I'm sorry to post this here, but you guys are so good with this stuff and always so helpful...
I have wrote a super tiny script, just one file, which creates a copy&paste HTML code based on a few variables you put in a form. It works great for me, but it doesn't do anything on my friend's server, where register_globals are turned off, and I remember that can have an effect on forms. Are there any basic guidelines one has to follow to make this work? I looked it up at php.net, but I don't really understand most of it
Well the proper way is to use $_REQUEST['variablename'] (which has everything reg global sets) or $_GET (just values typed in url) or $_POST (just form post values) or $_COOKIE (just cookie values). Register_globals is considered a security problem because it makes it possible for anyone to set arbitrary values for any variables which you haven't pre-defined. On the other hand I'm lazy, and didn't want to rewrite stuff 4 years ago, so I do this to artifically set the globals (and get consistency with magic quotes settings, and make it more secure for hosts with globals on):
$magicquotes = get_magic_quotes_gpc(); // prepare to sanitize for those without magic quotes while(list($key, $value) = each($_GET)) { $newvalue = stripcode($value); if (!$magicquotes && !is_array($_GET[$key])) $newvalue = addslashes($newvalue); $$key = $newvalue; $_GET[$key] = $newvalue; } while(list($key, $value) = each($_POST)) { $newvalue = stripcode($value); if (!$magicquotes && !is_array($_POST[$key])) $newvalue = addslashes($newvalue); $$key = $newvalue; $_POST[$key] = $newvalue; }
Same can be done for cookies, though I don't globalize cookies personally.
If you're using this method to globalize input, be careful to not allow HTML/Javascript or PHP code which could end up getting displayed and thus exploited as an attack vector. That's what my stripcode function takes care of.
0/5
1
2
3
4
5
This thread is closed, so you cannot post a reply.
Comments on Question about register_globals
Forum Regular
Usergroup: Customer
Joined: May 11, 2003
Total Topics: 64
Total Comments: 199
I know this has nothing to do with WSN Links and I'm sorry to post this here, but you guys are so good with this stuff and always so helpful...
I have wrote a super tiny script, just one file, which creates a copy&paste HTML code based on a few variables you put in a form. It works great for me, but it doesn't do anything on my friend's server, where register_globals are turned off, and I remember that can have an effect on forms. Are there any basic guidelines one has to follow to make this work?
I looked it up at php.net, but I don't really understand most of it
developer
Usergroup: Administrator
Joined: Dec 20, 2001
Location: Diamond Springs, California
Total Topics: 61
Total Comments: 7868
Well the proper way is to use $_REQUEST['variablename'] (which has everything reg global sets) or $_GET (just values typed in url) or $_POST (just form post values) or $_COOKIE (just cookie values). Register_globals is considered a security problem because it makes it possible for anyone to set arbitrary values for any variables which you haven't pre-defined. On the other hand I'm lazy, and didn't want to rewrite stuff 4 years ago, so I do this to artifically set the globals (and get consistency with magic quotes settings, and make it more secure for hosts with globals on):
Same can be done for cookies, though I don't globalize cookies personally.
If you're using this method to globalize input, be careful to not allow HTML/Javascript or PHP code which could end up getting displayed and thus exploited as an attack vector. That's what my stripcode function takes care of.