9.7. Securing PHP’s Form Processing
Problem
You want to securely process form input variables and not allow someone to maliciously alter variables in your code.
Solution
Disable the
register_globals
configuration directive and access
variables only from the
$_REQUEST
array. To be even more secure, use
$_GET
, $_POST
, and
$_COOKIE
to make sure you know exactly where your
variables are coming from.
To do this, make sure this line appears in your php.ini file:
register_globals = Off
As of PHP 4.2, this is the default configuration.
Discussion
When register_globals
is set
on
, external variables, including those from forms
and cookies, are imported directly into the global namespace. This is
a great convenience, but it can also open up some security holes if
you’re not very diligent about checking your
variables and where they’re defined. Why? Because
there may be a variable you use internally that
isn’t supposed to be accessible from the outside but
has its value rewritten without your knowledge.
Here is a simple example. You have a page in which a user enters a username and password. If they are validated, you return her user identification number and use that numerical identifier to look up and print out her personal information:
// assume magic_quotes_gpc is set to Off $username = $dbh->quote($_GET['username']); $password = $dbh->quote($_GET['password']); $sth = $dbh->query("SELECT id FROM users WHERE username = $username AND password = $password"); if (1 == $sth->numRows( )) { ...
Get PHP Cookbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.