[NBLUG/talk] CGI programming memory lapse

Chris Palmer chris at eff.org
Wed Jun 7 11:43:44 PDT 2006

matt writes:

> Woah, that's a very bad idea. Never use register_globals. Never.

I think he was kidding, with the winky face and all.

> Think of it like this: You are putting data into MySQL and you decide
> to name your variable $query. Let's say someone tries to be smart and
> recodes your form and makes a field called "$query". They just
> injected your database.

Oh, you don't need register_globals on for SQL injection to be all too
easy.  Watch the Bugtraq mailing list for, like, 20 seconds, and you will
see 20 posts about PHP apps with SQL injection vulnerabilities.  Every
unvalidated input variable that later is used as part of an SQL query is
an SQL injection vector.  It's part of the fun!

> There is no use for register_globals. Everything you had can now be
> accessed in a specific array: $_POST['x'] for variables from a post
> form, $_GET, $_COOKIE, and so on. It's simpler and much more secure.

I wouldn't say "more secure" so much as "at least not flamingly,
screamingly, napalmingly, howlingly, crunchingly insecure".


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 186 bytes
Desc: not available
Url : http://nblug.org/pipermail/talk/attachments/20060607/52d7d3dc/attachment.pgp

More information about the talk mailing list