Securing your variables
In most versions of PHP, you can access the value of a variable before it is initialized. Consider this simple example:
if ($password == $the_password) {
$logged_in = 1;
}
if ($logged_in == 1) {
// secure stuff
}
All a visitor has to do is add ?logged_in=1 to the end of the URL and they will have access. While this may seem obvious, it is an extremely common problem with PHP scripts.
The best way to prevent this is to always make sure variables are declared before they are used. For this example, you can just add the following line at the top of the file:
$logged_in = 0;
Now the variable cannot be reset by a user since it is being declared before use.
Another recommendation is to enable error reporting. With the right setting, your scripts will generate an error if a variable is used before it is defined. While this might sound bothersome, it can be quite helpful for keeping things secure, since it will let you know of any variables you missed.
You can enable this for your entire server with a line in php.ini:
error_reporting = E_ALL
To enable this for a particular PHP script, just add this to the top of the file:
error_reporting(E_ALL);
If you do enable error reporting in your php.ini, but need it bypassed for a particular script, you can use this in your file:
error_reporting(0);
There are two superglobals which you will be using most of the time. $_GET and $_POST. $_GET is used to retrieve variables passed in the URL. $_POST is used to get values from html forms. In the past, you also had $HTTP_POST and $GET_VARS but they are depreciated and should not be used. Here is an example:
$the_name = $_GET['name'];Keep in mind however that you need to make sure the value exists in the superglobal array before you use it, or you may receive an error. Try this:
if (isset($_GET['name'])) { $the_name = $_GET['name']; } else { $the_name = “”; }Now that you know how to get input from the user properly, there is still the matter of someone being able to pass random variables to your script. This is easy to fix with the register_globals option of PHP.
In your php.ini file, add this line:
register_globals = OffOr in an .htaccess file:
php_flag register_globals offOnce again, if you need to re-enable register_globals for a particular script, you can do so with an alternate .htaccess file.
With register_globals disabled, the only way you will be able to accept user input is with the superglobals. Parameters passed to the script will no longer be automatically turned into variables.
Reference http://www.dagondesign.com/articles/writing-secure-php-scripts-part-1/
Incoming search terms:
You will also be interested in ,
- XML Parsing Made Easy
- Arrays In PHP
- Simple file upload script using php
- Adding Handlers Directly In httpd.conf Of Apache
- Check whether url or domain exists using php
- "Header already sent" in php error and other use of Header function in PHP
- Locking a text file database using php
- Appending string using php to a text file
- Lock a text database or file before writing data into it using php
- Using no-cache for Stop Caching in Firefox and Internet Explorer