Jump to content

Confused about mimicing register_globals On and destroying all globals


scanreg

Recommended Posts

In the following code,

 

// Register Globals
if (ini_get('register_globals')) {
   ini_set('session.use_cookies', 'On');
   ini_set('session.use_trans_sid', 'Off');
      
   session_set_cookie_params(0, '/');
   session_start();
   
   $globals = array($_REQUEST, $_SESSION, $_SERVER, $_FILES);

   foreach ($globals as $global) {
      foreach(array_keys($global) as $key) {
         unset($$key);
      }
   }
}

 

the above destroys all globals if register_globals is on, as I understand it.

 

However, if it does destroy all globals, can a web form continue to work?

 

How do you allow form fields and other stuff to be used in a script even if you kill all the globals up front?

 

Many thanks :)

Link to comment
Share on other sites

If register_globals are on, the posted code unsets any program (global) variables that match any of the $_REQUEST, $_SESSION, $_SERVER, $_FILES key names.

 

While that does have the affect of preventing a hacker from setting your program variables, it would also prevent your code from working correctly if there are any external variables with the same name as your program variables at the point in your code where you run the posted logic.

 

You access form variables using the correct $_GET or $_POST variable name ($_REQUEST should not be used because it is about as insecure as having register_globals on.)

 

 

Link to comment
Share on other sites

$_SESSION is not part of the register_globals, only Environment, GET, POST, Cookie, Server.  If there is a $_GET['somevar'] then register globals would extract this into the global scope and you would have $somevar.  The code you posted would unset $somevar but $_GET['somevar'] is still available.

 

This would be easier:

 

// $_REQUEST = GET, POST, COOKIE / $_FILES is a POST operation
$globals = array_keys(array_merge($_REQUEST, $_FILES, $_SERVER, $_ENV));

foreach ($globals as $key) {
   unset($$key);
}

Link to comment
Share on other sites

$_SESSION iS part of register_globals, that's why so many scripts were taken over. Hackers set the session variables saying they were logged in as the administrator to scripts, simply by putting same name get parameters on the end of URLs.

 

Register_globals were turned off by default over 8 years ago and since the code you are writting should not be using register_globals methods and/or you should not still be using any old code that is dependent on register_globals, there's no point in the code you have shown in this thread. It does not belong in any current script.

Link to comment
Share on other sites

Yeah, my bad.  It's early and has been years since I had to worry about it.

 

// after session_start()
$globals = array_keys(array_merge($_SESSION, $_REQUEST, $_FILES, $_SERVER, $_ENV));

 

So, if there is a $_SESSION['somevar'] then register globals would extract this into the global scope and you would have $somevar.  The code you posted would unset $somevar but $_SESSION['somevar'] is still available.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.