[請益] php<5.4.0 register_globals=On 安全措施

看板PHP作者alfadick (悟道修行者)時間14年前 (2011/07/10 19:59)推噓1(1推 0噓 10→)

留言11則, 5人參與討論串1/2 (看更多)

register_globals: PHP_INI_ALL in PHP <= 4.2.3. Deprecated in PHP 5.3.0. Removed in PHP 5.4.0. http://www.php.net/manual/en/configuration.changes.modes.php 所以在 php < 5.4.0 的版本之下，有 register_globals，但是沒辦法用 ini_set() 在執行 php 期間開/關這個東西，假設是某個虛擬主機商，提供了舊版的 php，而好死不死，他們 register_globals = On，非常危險，我也改不了php.ini 我希望能讓所有的變數，例如 $_SESSION['xxx']…都能安全使用，有什麼好方法嗎？程式碼精簡，而且漂亮的好方法。多謝 :-) -- ※ 發信站: 批踢踢實業坊(ptt.cc) ◆ From: 218.167.0.148

推

mrbigmouth

07/10 21:06, , 1^F

07/10 21:06, 1^F

→

alfadick

07/10 21:32, , 2^F

07/10 21:32, 2^F

→

gname

07/10 21:49, , 3^F

07/10 21:49, 3^F

→

alfadick

07/10 23:53, , 4^F

07/10 23:53, 4^F

→

alfadick

07/10 23:54, , 5^F

07/10 23:54, 5^F

→

alfadick

07/10 23:54, , 6^F

07/10 23:54, 6^F

that is, <?php // define $authorized = true only if user is authenticated if (authenticated_user()) { $authorized = true; } // Because we didn't first initialize $authorized as false, this might be // defined through register_globals, like from GET auth.php?authorized=1 // So, anyone can be seen as authenticated! if ($authorized) { include "/highly/sensitive/data.php"; } ?> ※ 編輯: alfadick 來自: 218.167.0.148 (07/10 23:59)

→

arrack

07/11 08:08, , 7^F

07/11 08:08, 7^F

→

arrack

07/11 08:10, , 8^F

07/11 08:10, 8^F

→

eight0

07/11 14:59, , 9^F

07/11 14:59, 9^F

Perhaps the most controversial change in PHP is when the default value for the PHP directive register_globals went from ON to OFF in PHP>4.2.0. In PHP 4.2.0 and later, the default value for the PHP directive register_globals is off. This is a major change in PHP. Having register_globals off affects the set of predefined variables available in the global scope. For example, to get DOCUMENT_ROOT you'll use $_SERVER['DOCUMENT_ROOT'] instead of $DOCUMENT_ROOT, or $_GET['id'] from the URL http://www.example.com/test.php?id=3 instead of $id, or $_ENV['HOME'] instead of $HOME. For related information on this change, read the configuration entry for register_globals, the security chapter on Using Register Globals , as well as the PHP lol, 沒有人在 php<4.2.0 時 (i)買過虛擬主機或 (ii)用過國外免費 php 空間或 (iii)自己架站嗎？在那個時候，大家應該都會有我這個需求，寫這個程式吧？沒有的話，程式危險得要命阿 ※ 編輯: alfadick 來自: 218.167.0.145 (07/11 18:34)

→

arrack

07/11 22:17, , 10^F

07/11 22:17, 10^F

→

arrack

07/11 22:17, , 11^F

07/11 22:17, 11^F

‣ 返回看板[ PHP ] 程設

‣ 更多 alfadick 的文章

文章代碼(AID): #1E6PGUhv (PHP)