register_global = on?

[jefargrafx]

what is the real security issue around turning register_globals on. the php.ini states that we should leave it set off for security.

the app I'm developing is on the other side of a corporate firewall and I was wonder what the real deal was?

thanks
Let me know

jef

 

[DRJ478]

The real security issues have to do with the introduction of arbitrary values into un-initialized parameters.

If you refer to $id in your code and it is not set anywhere to a specific value anyone can just append ?id=whateverIwant to the URL and the variable has that value.

It doesn't seem like a huge security hole, however, the PHP manual gives several examples that demonstrate the possible seriousness:

http://ca2.php.net/register_globals

It is also clearer to be able to see where a parameter comes from $is versus $_POST['id']

The firewall would not have any impact. You want to process form data. The only place where there would be diminished concerns would be an INTRANET - as long as you trust the users.
However, it is best not to trust any user or user input.

 

[jefargrafx]

I do like your last line and thanks for the input.

that'll just make my case for keep them set off even thou we are on an INTRANET

jef