Re: Not Inciting a Holy War

oh, yeah. automatic variable creation is GREAT! for those of you who aren't familiar with this, PHP's default settings cause it to look for incoming GET, POST, and COOKIE variables in a specified order and import them into the global namespace. so, if someone calls your script with foo=bar as a parameter, the variable $foo in the global namespace will be 'bar'.

however, since PHP also stores variables for system settings in this same global namespace, some of which are not always populated, it is pretty easy for a user to spoof your script by passing in variables with the correct names.

for example, when a script is running under an SSL server, the environment variable HTTPS is set to 'ON'. however, in other circustances, it is not set at all. so, if you have a custom PHP function that you want to behave differently based on whether it is called by a script under an SSL web server or not, you can't just check the value of HTTPS because it may have been passed in by the end user with HTTPS=ON. to get around this, you either have to disable the automatic variable creation by unsetting your GPC_ORDER (which is a very kludgy thing to do on a per script basis), or check to make sure that HTTPS=ON isn't in HTTP_GET_VARS, HTTP_POST_VARS, or HTTP_COOKIE_VARS, thereby eliminating the value the namespace munging had in the first place. that is just idiotic, IMHO.

i myself use PHP fairly often, so i don't by any means think it is horrible, but it definitely fails in a number of areas where Perl shines (and vice versa, occasionally).

Comment on Re: Not Inciting a Holy War

Replies are listed 'Best First'.
RE: Re: Not Inciting a Holy War by SuperCruncher (Pilgrim) on Jun 18, 2000 at 14:42 UTC
however, since PHP also stores variables for system settings in this same global namespace, some of which are not always populated, it is pretty easy for a user to spoof your script by passing in variables with the correct names. I wondered about this a few months ago, it seems like a pretty insecure system if you ask me. Wouldn't it also be possible for someone to use serious memory on the box by making a request like: foo.php?foo=bar&baz=foo&bar=foo&morefoo=foo etc. I suppose it wouldn't be so much of a problem with GET, as surely it is limited by the size of an environment variable (at least on UNIX that is). What about POST though? IMHO PHP may be ok for web/CGI-type apps, but you can't make a nice runnable "normal" program with it, can you? Therefore I would imagine that learning Perl is a better use of your time.	[reply]
RE: RE: Re: Not Inciting a Holy War by le (Friar) on Jun 18, 2000 at 15:13 UTC
IMHO PHP may be ok for web/CGI-type apps, but you can't make a nice runnable "normal" program with it, can you? Therefore I would imagine that learning Perl is a better use of your time. Completely acknowledged. There is a standalone version of PHP, but I don't see any use for it if you can have Perl. Perl is a much more mature language.	[reply]
exploitable probs. by mcwee (Pilgrim) on Jun 18, 2000 at 19:33 UTC
IIRC, a year or two back, this very problem in PHP was bandied about quite a bit in 2600 Magazine. Although most of the h@xor kiddies had some pretty funny ideas about what PHP actually was (there was a popular notion, again IIRC, that it was some sort of throwback automated phonebook or address book application-- I think this was entirely based on the fact the PHP and phone both start with PH) folks were pretty knowledgable in how to exploit it, even if they weren't clear what they were exploiting. Just food for though, I guess. The Autonomic Pilot; it's FunkyTown, babe.	[reply]