Database Reference
In-Depth Information
if
(
check_password
(
$password
))
$password_is_ok
=
1
;
The intent here is that if the password matches, the script sets
$password_is_ok
to
1
.
Otherwise, it leaves
$password_is_ok
unset (which compares false in Boolean expres‐
sions). But suppose that someone invokes your script as follows:
http://your.host.com/chkpass.php?password_is_ok=1
If
register_globals
is enabled, PHP sees that the
password_is_ok
parameter is set to
1
and sets the corresponding
$password_is_ok
variable to
1
. The result is that when
your script executes,
$password_is_ok
is
1
no matter what password was given, or even
if
no
password was given! Thus,
register_globals
enables outside users to supply
default values for global variables in your scripts. The best solution is to disable
regis
ter_globals
and check the global arrays (
$_GET
,
$_POST
) for input parameter values.
If you cannot disable
register_globals
, take care not to assume that PHP variables
have no value initially. Unless you expect a global variable to be set from an input pa‐
rameter, initialize it explicitly to a known value. The password-checking code should
be written as follows to make sure that only
$password
(and not
$password_is_ok
) can
be set from an input parameter. That way,
$password_is_ok
is assigned a value by the
script itself whatever the result of the test:
$password_is_ok
=
0
;
if
(
check_password
(
$password
))
$password_is_ok
=
1
;
Another complicating factor when retrieving input parameters in PHP is that they may
need some decoding, depending on the value of the
magic_quotes_gpc
configuration
variable (if present; like
register_globals
,
magic_quotes_gpc
is deprecated in PHP
5.3 and removed in 5.4). If magic quotes are enabled, any quote, backslash, and NUL
characters in input parameter values accessed by your scripts will be escaped with back‐
slashes. I suppose that the intent is to save you a step by permitting you to extract values
and use them directly in SQL statement strings. However, that's only useful if you plan
to use web input in a statement with no preprocessing or validity checking, which is
dangerous. You should check your input first, in which case it's necessary to strip out
the slashes, anyway. This means that having magic quotes turned on isn't really very
useful.
Given the various sources through which input parameters may be available, and the
fact that they may or may not contain extra backslashes, extracting input in PHP scripts
can be an interesting problem. If you have control of your server and can set the values
of the various configuration settings, you can of course write your scripts based on those
settings. But if you do not control your server or are writing scripts that need to run on
several machines, you may not know in advance what the settings are. Fortunately, it's
possible to write reasonably general-purpose parameter-extraction code that works
correctly with few assumptions about your PHP operating environment. The following
utility function,
get_param_val()
, takes a parameter name as its argument and returns
