PHP variable insertionThis is a security threat that is mostly patched nowadays, but from time to time I come across servers without the patch so I guess it should be mentioned.
Back in the old days of PHP before PHP 4, it was common to pass data to PHP scripts directly as registered global variables. For example:
script.php?somevar=blahblah&anothervar=123
If your PHP server settings allow registered globals, variables somevar and anothervar will become global PHP variables $somevar (containing string "blahblah") and $anothervar (containing integer 123).
Sounds fun, since you don't need to use cumbersome $_GET['somevar'] and $_GET['anothervar'] (try to fast-type these too and you'll know what I'm talking about). But also it poses a security threat. Not by itself, of course, but by bad script design that misses to initialize variables before use, for example. If the attacker somehow finds out your variable names in your scripts (open-source, anyone?) and finds that you are using a variable without initializing it first, all he or she needs to do is to pass some value to that variable via URL as in the example above.
What does using "uninitialized" variables mean? It means you are using contents of a variable which you didn't use or set before:
PHP:
<?php if ($a==1) $somevar="thisorthat";$res= mysql_query("INSERT INTO sometable (somefield) VALUES ('{$somevar}')");?>
A beginner PHP programmer will assume that $somevar is NULL, if $a is not 1, so SQL will be valid. But a hacker will see the opportunity!
So, the most simple way to protect your scripts from such registered globals, is to turn the register_globals directive OFF. Most PHP servers nowadays have this by default, but always check your PHP.ini (where the directive is) to make sure.
If you don't have access to PHP.ini, write an empty script with one simple call to phpinfo(); That will print out server settings and you can see if register_globals is on or off.
If you can't modify your PHP.ini, you can set this directive through .htaccess, if the server settings allow you to:
php_flag register_globals off
Or, call your server administrator and demand this directive in your PHP.ini.
Speaking of phpinfo(), and as we have mentioned earlier, it is wise to set your PHP server to suppress any output of errors, except to a log file. Because, error reporting can reveal sensitive information about your webiste: script location in the server and database table structure, if SQL error is being reported. PHP4 and above, by default, does not report MySQL SQL errors, so admins write their own code to report SQL errors. Be careful where you report such errors. You don't want everyone to know your tables structure.
