Securing your variables

In most versions of PHP, you can access the value of a variable before it is initialized. Consider this simple example:

if ($password == $the_password) {
    $logged_in = 1;
}
if ($logged_in == 1) {
    // secure stuff
}

All a visitor has to do is add ?logged_in=1 to the end of the URL and they will have access. While this may seem obvious, it is an extremely common problem with PHP scripts.

The best way to prevent this is to always make sure variables are declared before they are used. For this example, you can just add the following line at the top of the file:

$logged_in = 0;

Now the variable cannot be reset by a user since it is being declared before use.

Another recommendation is to enable error reporting. With the right setting, your scripts will generate an error if a variable is used before it is defined. While this might sound bothersome, it can be quite helpful for keeping things secure, since it will let you know of any variables you missed.

You can enable this for your entire server with a line in php.ini:

error_reporting = E_ALL

To enable this for a particular PHP script, just add this to the top of the file:

error_reporting(E_ALL);

If you do enable error reporting in your php.ini, but need it bypassed for a particular script, you can use this in your file:

error_reporting(0);

There are two superglobals which you will be using most of the time. $_GET and $_POST. $_GET is used to retrieve variables passed in the URL. $_POST is used to get values from html forms. In the past, you also had $HTTP_POST and $GET_VARS but they are depreciated and should not be used. Here is an example:

$the_name = $_GET['name'];Keep in mind however that you need to make sure the value exists in the superglobal array before you use it, or you may receive an error. Try this:

if (isset($_GET['name'])) {     $the_name = $_GET['name']; } else {     $the_name = “”; }Now that you know how to get input from the user properly, there is still the matter of someone being able to pass random variables to your script. This is easy to fix with the register_globals option of PHP.

In your php.ini file, add this line:

register_globals = OffOr in an .htaccess file:

php_flag register_globals offOnce again, if you need to re-enable register_globals for a particular script, you can do so with an alternate .htaccess file.

With register_globals disabled, the only way you will be able to accept user input is with the superglobals. Parameters passed to the script will no longer be automatically turned into variables.
Reference http://www.dagondesign.com/articles/writing-secure-php-scripts-part-1/

Incoming search terms:

• (13)Permission denied: AH00072: make_sock: could not bind to address (6)
• module cobropago vtiger (4)
• ftp autoestamp (2)
• splashbox script (2)
• c# generate alphabet character using for loop using stringbuilder and bind in dropdownlist (1)
• tool to hack jsp pages (1)
• spreadsheet_excel_writer ob_clean() (1)
• source code for dropdown onchange wvent in j2ee application (1)
• birthday dropdown using JSP (1)
• in url:Technologyadd comment (1)
• disable text box yii (1)
• writing secured php code 2011 (1)

You will also be interested in ,

• Redirect webpage using php
• Set xampp:- Apache Mysql Filezilla Mercury Tomcat as a windows service and get xampp to start automatically on boot up
• Display mysql table using for loop in php
• How to create random passwords using php
• Speed up wordpress using .htaccess part 1
• Hit counter using php
• Simple XML Reading Using PHP
• Store Data In Remote DataBase Using cUrl or Execute a HTTP POST Using PHP CURL
• Randomly read and display values of an xml file using php
• Append data to a text file using php