register_globals. This
configuration setting defaults to off in PHP 4.2.0 and later. Access
values from URLs, forms, and cookies through the superglobal arrays $_GET, $_POST, and $_COOKIE.Before you use values from the superglobal arrays, validate them to make sure they don’t contain unexpected input. If you know what type of value you are expecting, make sure what you’ve got conforms to an expected format. For example, if you’re expecting a US ZIP Code, make sure your value is either five digits or five digits, a hyphen, and four more digits (ZIP+4). Often, regular expressions are the easiest way to validate data:
if (preg_match('/^\d{5}(-\d{4})?$/',$_GET['zip'])) {
$zip = $_GET['zip'];
} else {
die('Invalid ZIP Code format.');
}
If you’re expecting to receive data in a cookie or a hidden form
field that you’ve previously sent to a client, make sure it hasn’t been
tampered with by sending a hash of the data and a secret word along with
the data. Put the hash in a hidden form field (or in the cookie) along
with the data. When you receive the data and the hash, re-hash the data
and make sure the new hash matches the old one:// sending the cookie
$secret_word = 'gargamel';
$id = 123745323;
$hash = md5($secret_word.$id);
setcookie('id',$id.'-'.$hash);
// receiving and verifying the cookie
list($cookie_id,$cookie_hash) = explode('-',$_COOKIE['id']);
if (md5($secret_word.$cookie_id) == $cookie_hash) {
$id = $cookie_id;
} else {
die('Invalid cookie.');
}
If a user has changed the ID value in the cookie, the hashes won’t
match. The success of this method obviously depends on keeping $secret_word
secret, so put it in a file that can’t be read by just anybody and
change it periodically. (But remember, when you change it, old hashes
that might be lying around in cookies will no longer be valid.)See Also:
- PHP Manual: Using Register Globals
- PHP Cookbook: Recipe 9.7 (“Securing PHP’s Form Processing”), Recipe 14.3 (“Verifying Data with Hashes”)
No comments:
Post a Comment