<HTML ><HEAD ><TITLE >Using Register Globals</TITLE ><META NAME="GENERATOR" CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK REL="HOME" TITLE="PHP Manual" HREF="index.html"><LINK REL="UP" TITLE="Security" HREF="security.html"><LINK REL="PREVIOUS" TITLE="Error Reporting" HREF="security.errors.html"><LINK REL="NEXT" TITLE="User Submitted Data" HREF="security.variables.html"><META HTTP-EQUIV="Content-type" CONTENT="text/html; charset=ISO-8859-1"></HEAD ><BODY CLASS="sect1" BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000FF" VLINK="#840084" ALINK="#0000FF" ><DIV CLASS="NAVHEADER" ><TABLE SUMMARY="Header navigation table" WIDTH="100%" BORDER="0" CELLPADDING="0" CELLSPACING="0" ><TR ><TH COLSPAN="3" ALIGN="center" >PHP Manual</TH ></TR ><TR ><TD WIDTH="10%" ALIGN="left" VALIGN="bottom" ><A HREF="security.errors.html" ACCESSKEY="P" >Prev</A ></TD ><TD WIDTH="80%" ALIGN="center" VALIGN="bottom" >Chapter 5. Security</TD ><TD WIDTH="10%" ALIGN="right" VALIGN="bottom" ><A HREF="security.variables.html" ACCESSKEY="N" >Next</A ></TD ></TR ></TABLE ><HR ALIGN="LEFT" WIDTH="100%"></DIV ><DIV CLASS="sect1" ><H1 CLASS="sect1" ><A NAME="security.registerglobals" ></A >Using Register Globals</H1 ><P > One feature of PHP that can be used to enhance security is configuring PHP with <A HREF="configuration.directives.html#ini.register-globals" >register_globals</A > = off. By turning off the ability for any user-submitted variable to be injected into PHP code, you can reduce the amount of variable poisoning a potential attacker may inflict. They will have to take the additional time to forge submissions, and your internal variables are effectively isolated from user submitted data. </P ><P > While it does slightly increase the amount of effort required to work with PHP, it has been argued that the benefits far outweigh the effort. <TABLE WIDTH="100%" BORDER="0" CELLPADDING="0" CELLSPACING="0" CLASS="EXAMPLE" ><TR ><TD ><DIV CLASS="example" ><A NAME="AEN3066" ></A ><P ><B >Example 5-14. Working with register_globals=on</B ></P ><TABLE BORDER="0" BGCOLOR="#E0E0E0" CELLPADDING="5" ><TR ><TD ><PRE CLASS="php" ><?php if ($username) { // can be forged by a user in get/post/cookies $good_login = 1; } if ($good_login == 1) { // can be forged by a user in get/post/cookies, fpassthru ("/highly/sensitive/data/index.html"); } ?></PRE ></TD ></TR ></TABLE ></DIV ></TD ></TR ></TABLE > <TABLE WIDTH="100%" BORDER="0" CELLPADDING="0" CELLSPACING="0" CLASS="EXAMPLE" ><TR ><TD ><DIV CLASS="example" ><A NAME="AEN3069" ></A ><P ><B >Example 5-15. Working with register_globals = off</B ></P ><TABLE BORDER="0" BGCOLOR="#E0E0E0" CELLPADDING="5" ><TR ><TD ><PRE CLASS="php" ><?php if($_COOKIE['username']){ // can only come from a cookie, forged or otherwise $good_login = 1; fpassthru ("/highly/sensitive/data/index.html"); } ?></PRE ></TD ></TR ></TABLE ></DIV ></TD ></TR ></TABLE > By using this wisely, it's even possible to take preventative measures to warn when forging is being attempted. If you know ahead of time exactly where a variable should be coming from, you can check to see if submitted data is coming from an inappropriate kind of submission. While it doesn't guarantee that data has not been forged, it does require an attacker to guess the right kind of forging. <TABLE WIDTH="100%" BORDER="0" CELLPADDING="0" CELLSPACING="0" CLASS="EXAMPLE" ><TR ><TD ><DIV CLASS="example" ><A NAME="AEN3072" ></A ><P ><B >Example 5-16. Detecting simple variable poisoning</B ></P ><TABLE BORDER="0" BGCOLOR="#E0E0E0" CELLPADDING="5" ><TR ><TD ><PRE CLASS="php" ><?php if ($_COOKIE['username'] && !$_POST['username'] && !$_GET['username'] ) { // Perform other checks to validate the user name... $good_login = 1; fpassthru ("/highly/sensitive/data/index.html"); } else { mail("admin@example.com", "Possible breakin attempt", $_SERVER['REMOTE_ADDR']); echo "Security violation, admin has been alerted."; exit; } ?></PRE ></TD ></TR ></TABLE ></DIV ></TD ></TR ></TABLE > Of course, simply turning off register_globals does not mean code is secure. For every piece of data that is submitted, it should also be checked in other ways. </P ></DIV ><DIV CLASS="NAVFOOTER" ><HR ALIGN="LEFT" WIDTH="100%"><TABLE SUMMARY="Footer navigation table" WIDTH="100%" BORDER="0" CELLPADDING="0" CELLSPACING="0" ><TR ><TD WIDTH="33%" ALIGN="left" VALIGN="top" ><A HREF="security.errors.html" ACCESSKEY="P" >Prev</A ></TD ><TD WIDTH="34%" ALIGN="center" VALIGN="top" ><A HREF="index.html" ACCESSKEY="H" >Home</A ></TD ><TD WIDTH="33%" ALIGN="right" VALIGN="top" ><A HREF="security.variables.html" ACCESSKEY="N" >Next</A ></TD ></TR ><TR ><TD WIDTH="33%" ALIGN="left" VALIGN="top" >Error Reporting</TD ><TD WIDTH="34%" ALIGN="center" VALIGN="top" ><A HREF="security.html" ACCESSKEY="U" >Up</A ></TD ><TD WIDTH="33%" ALIGN="right" VALIGN="top" >User Submitted Data</TD ></TR ></TABLE ></DIV ></BODY ></HTML >