A question from comp.lang.php:
I understand that register_globals was turned off by default as, unless you initialised it, it could be altered by a malicious coder.
What I don’t understand is how the $_POST[‘foo’] form is any more secure. Surely Mr Malicious Coder can still just send his own version of $_POST[‘foo’]?
Obviously I’m missing something, I just can’t figure out what!
What you are missing is a realization that with register_globals = On, the malicious coder can initialize ANY variable, regardless of whether the script expects to receive it via CGI.
Let’s say, you have something like this:
// Tons of code here...
// The script processes incoming data
// and, depending on the program flow,
// may or may not initialize the $bar
// variable.
if (isset($bar)) {
$query = "DELETE FROM the_table WHERE bar='$bar'";
$result = mysql_query($query);
}
// Tons of code here too...
Now let’s say that register_globals = On and malicious coder submitted:
$_REQUEST['bar'] = "' OR bar LIKE '%"
The server receives it and initializes:
$bar = "' OR bar LIKE '%"
If $bar is not changed elsewhere, the script issues the following MySQL query:
DELETE FROM the_table WHERE bar='' OR bar LIKE '%'
meaning, delete all records from the_table.
Granted, the above example is not a good coding practice, but with register_globals = Off it is still safe (the malicious user cannot initialize $bar and thus alter the program flow), while with register_globals = On it is a security risk.