My Operaregister_globals - script security
Tuesday, July 31, 2007 8:53:10 AM
register_globals
New to PHP 4.1.0, the register_globals setting controls how you access
form, server, and environment variables. By default this variable is
set to Off, requiring you to use special arrays to access these
variables. Those familiar with older versions of PHP will be used to
an environment in which the register_globals variable is effectively
On; with this setting, you can access form, server and environment
variables simply by name.
Note: This change occurred in PHP 4.1.0 because when register_globals
is set to On, PHP scripts are more vulnerable to attacks. Some older
PHP applications will require this setting to be on, but it is safer
to write new scripts with the assumption that register_globals will be
set to Off.
To retrieve the value of <input name="formVariable"> from a form
submitted with the POST method, use the following syntax:
PHP code when register_globals = On
$myNewVariable = $formVariable;
PHP code when register_globals = Off
$myNewVariable = $_POST['formVariable'];
For more information about this topic, please see the Security: New
Input Mechanism heading of the PHP 4.1.0 Release Announcement.
upload_tmp_dir
This setting controls the temporary location of files uploaded with an
HTML form. If you don't specify a path for this setting, uploaded
files will be temporarily stored in a world-readable location on the
server. To protect ease of manipulation and the confidentiality of
such files, you should create a directory in your account and specify
the new path in your php.ini file:
upload_tmp_dir = /hwxx/daxx/uwnetid/tmp
Replace /hwxx/daxx/uwnetid with the path to your Web directory. Make
sure that you have a directory called tmp in the root of your Web
directory (typically public_html) and make sure it is read and
writable by you only.
New to PHP 4.1.0, the register_globals setting controls how you access
form, server, and environment variables. By default this variable is
set to Off, requiring you to use special arrays to access these
variables. Those familiar with older versions of PHP will be used to
an environment in which the register_globals variable is effectively
On; with this setting, you can access form, server and environment
variables simply by name.
Note: This change occurred in PHP 4.1.0 because when register_globals
is set to On, PHP scripts are more vulnerable to attacks. Some older
PHP applications will require this setting to be on, but it is safer
to write new scripts with the assumption that register_globals will be
set to Off.
To retrieve the value of <input name="formVariable"> from a form
submitted with the POST method, use the following syntax:
PHP code when register_globals = On
$myNewVariable = $formVariable;
PHP code when register_globals = Off
$myNewVariable = $_POST['formVariable'];
For more information about this topic, please see the Security: New
Input Mechanism heading of the PHP 4.1.0 Release Announcement.
upload_tmp_dir
This setting controls the temporary location of files uploaded with an
HTML form. If you don't specify a path for this setting, uploaded
files will be temporarily stored in a world-readable location on the
server. To protect ease of manipulation and the confidentiality of
such files, you should create a directory in your account and specify
the new path in your php.ini file:
upload_tmp_dir = /hwxx/daxx/uwnetid/tmp
Replace /hwxx/daxx/uwnetid with the path to your Web directory. Make
sure that you have a directory called tmp in the root of your Web
directory (typically public_html) and make sure it is read and
writable by you only.
