flhtc Posted November 18, 2007 Share Posted November 18, 2007 Hello, I'm very new to PHP. I've been wanting to learn it for a while now and have finally got the chance. I've been programming for 20+ years, mostly Unix / Linux scripting (awk,sed,etc...), some basic C (mostly file manipulation), and yes even DOS's GWBASIC. All my programing experience has been in single user applications, hence the questions regarding multiple user programing. I have looked around on this and other sites and can't find much pertaining to my particular questions. Whether that's do to not searching for the proper terms or they really aren't there, I don't know. I've inherited an "Engineering Change Notification" (ECN) program written in PHP and HTML. It's got a little of everything. It includes over 100 PHP scripts and 15 include files. These scripts were written back in 2000 / 2001 by college students. Since these were written for what looks like PHP 4.x, global variables were turned on. I've been playing with them for a couple of weeks trying to get a feel for PHP programing and how to get them up to snuff with PHP 5. If I'm going to revise them, I'd like to do i right. I've been using the php.net manual to find out what I can, looking at the examples and gleaning as much as possible. I think I have a basic understanding, well enough to be dangerous anyway. Already I've seen a few really cool what to do's and a few things I don't think are right. The program is setup in two sections. Non-secured and secured. The method for differentiating between the two is whether or not a session is started and if the user is logged in. The search, search results, and sub functions thereof are non-secured. Inbox, add, change, delete, etc... are secured. I have a few questions, some referring to basic PHP methodology, some security related, and I guess some would pertain to both. 1) Once a user opens a browser to the PHP program, before a session is started. What differentiates their variables from another persons opening the same script at the same time? Could the _POST variable array overlap (for lack of terminology knowledge) with other users opening the same script? Once a session is started, is the _SESSION variable array per session? Moreover, what if anything is best to differentiate variables for multiple users? I'm sure this would answer question #2. 2) Given the fact that the two sections of the program do overlap. That is to say, you can enter a non-secured section at any time. The method for passing variables can differ. Before a session is started I'm guessing you would use _POST to pass the variables globally between scripts. Once a session is started you could use _SESSION to do the same. The question is: Should I use _POST for all variables passed globally? Or start a session right away, use _SESSION to pass variables, and depend on the logged in variable to determine access to the secured sections of the program. 3) The global statement. (The examples are kind of sketchy) This is to say that the variable is global only to the script it's running in, and can be passed to and from functions within that script, and need only to be declared inside any function that uses it? 4) Passing variables between scripts especially include files where variables used throughout the program are set. Before a session is started, would _POST or _GET be the way to go here? 5) If the same variables are used in multiple scripts... Is it necessary to include the same .inc files again and again at the top of each script? Or do I use an include_once statement in each script? I think the reason for the redundant includes is that a lot of the scripts can be called from a number of other scripts. If you choose not to answer these questions which I totally understand. Could you at least point me to some tutorials or examples that will give me the information I need. I'll be more than happy to do the leg work, If I can find it. Thank You, FLHTC Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted November 18, 2007 Share Posted November 18, 2007 I think this will answer most of your questions - When a browser requests a page, the page is read by the server and sent out to the browser. If that page happens to use php code/data that php code is parsed and executed. When the end of the page is reached, all the resources used by that page are released. So, if a php program variable exists, it is destroyed when the code execution stops. The web server then goes on to serve up other requests. It does not know or care that it just served any page to any visitor. Each request by a browser for the same or any other page is completely separate for any one visitor and these are completely separate from any other request for any other visitor's browser. The only thing that ties requests for the same or any other page to a visitor is information that the browser provides (cookies, session id cookie, session id on the end of the url...). $_POST and $_GET are actually external data from the browser that is sent by a form (POST and GET) or as parameters on the end of the requested URL (GET). They are not actually used to pass program variables between pages, unless those pages are forms or you want to build links that must be clicked. Since $_POST and $_GET values are in the hands of the visitor in their browser, they can see and modify the values. For program variables that must remain out of the hands of the visitor, they must remain on the server (in session variables.) The only way to directly share program variables between requests for the same page for any one visitor or between different pages for any one visitor is to use sessions and session variables. The only way to share data between different visitors (or between different sessions for any one visitor) is to store that information in a globally accessible location, such as a database or a flat-file. Quote Link to comment Share on other sites More sharing options...
flhtc Posted November 18, 2007 Author Share Posted November 18, 2007 Thanks for the reply, Not being familiar with multi users programing, I am concerned about what and how variables are passed from server to client. Yes this does answer a lot of my questions. Given the fact that the data flowing between the client and server are separated from other connections, that would tell me that there would be no need to tie a session specific identifier such as the session_id() to the variables I want to use globally once a session has started, and, It would be better to use session_start() at the beginning, and use session variables since the browser cannot change them. At least from a security point of view. One more thing, if you don't mind. Since _POST and _GET are stored local to the client. Is this where it is possible for the variable poisoning I've read about to occur? Thanks Again, FLHTC Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted November 18, 2007 Share Posted November 18, 2007 $_POST and $_GET (and $_COOKIE/$_FILES) are sent by the browser. Any external data must be verified to make sure it contains only what you expect. Any external data that is not verified can cause problems depending on how it is used in the program - database query, content in a forum post, headers in an email, code in a template, content in a file that was uploaded or written to a file, a string put into an eval() or shell() function, used to trigger errors that expose program and database information... I believe your reference to variable poisoning is in relation to register globals? What this means is if you are using session variables, which you would normally expect to be safe on the server and register globals are on and the code is referencing the session variable by its' registered global name $some_variable_name instead of $_SESSION['some_variable_name'], it is possible to visit a page, without visiting the page that sets that session variable first, and you can simply use a GET parameter on the end of the URL with the same name as the session variable and set that variable to any value you want in the code. For public scripts where the name of variables are known, this allowed things like making someone appear logged in or making them an administrator... There is a good reason why register globals were turned off by default in php 4.2, sometime in 2002. They were a great blunder. The php.net recommendation at that time was that no new code should be written that depended on register globals being on. Register globals were only a lazy-way short cut of getting the programming language to do something that the programmer should have been writing code to do himself, with disastrous results. Quote Link to comment Share on other sites More sharing options...
GingerRobot Posted November 18, 2007 Share Posted November 18, 2007 My two cents on your questions: 1.) As PFMaBiSmAd said, the contents of $_POST and $_GET are sent by the browser. Each request is separate, so no, there cannot be any 'overlapping' of data between users. 2.) A session, in itself, does not secure an area of your site - it is the way that you use them that does. Obviously you have a login system which sets certain session variables which you will check on all pages requiring a login. You can use other session variables to pass other variables around, regardless of wether or not the user is logged in. It's often a matter of preference as to wether or not you set a session or add a variable onto the end of your header redirects which you then retrieve from the $_GET array. 3.) Yeah, global variables are exactly how you described them - if a variable is global, then it is in scope inside and outside a function. There is a slight difference as regards to functions defined with the global keyword, and the superglobal arrays (GET,POST,SERVER,COOKIE,SESSION). To use a variable defined outside a function inside that function, you need to use the global keywords, whilst the superglobals are available inside the function without any explicit use of a global keyword. 4.) As mentioned above, yes you could use GET to pass variables rather than sessions. You mention with particular reference to including files - if you want to pass something in the URL of an included file, you must use an absolute rather than a relative path. However, often you dont actually need to pass any variables to an included file. Remember, the process of including a file acts as if you take out all the code from the included file and dump it in the file doing the including. Therefore, any variables defined in the original file are still defined within the included code. 5.) That depends on what you mean. If, for example, you have something along the lines of check_login.php which checks the login of the user (duh), then yes - you must included it in every file that required login. If, on the other hand, we have a database connection script, which we include in file A and another file, file B - which also requires the database, but is also included in file A, then we don't need to incldue the database connection script within file B, so long as the database script is included before file B in file A. I hope at least some of that makes some sense and is useful. Quote Link to comment Share on other sites More sharing options...
flhtc Posted November 18, 2007 Author Share Posted November 18, 2007 Thanks to both of you! Things are a bit clearer now. I've learned more in these few posts than I have in two weeks of looking around. I believe I have what I need to get started. My first revision of the current code should at least be more secure than it was. It almost has to be. Thanks again, FLHTC Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.