[Discuss] Small website, non-technical users: Joomla, Drupal, or WordPress? (Solved)

[kentborg at borg.org (Kent Borg)]

On 01/08/2014 12:35 AM, Eric Chadbourne wrote:
> What do you mean by variables being public to the internet?  Nobody
> can directly access them from what I understand.  Sanitize in and out
> you should be fine no?

I don't remember the details, and I only just glanced at php, a long 
time ago.

Googling about a bit I think it might have been something like the 
problem described here 
http://www.dagondesign.com/articles/writing-secure-php-scripts-part-1/
>
>
>       Securing your variables
>
> In most versions of PHP, you can access the value of a variable before 
> it is initialized. Consider this simple example:
>
> if ($password == $the_password) {
>      $logged_in = 1;
> }
> if ($logged_in == 1) {
>      // secure stuff
> }
>
> All a visitor has to do is add *?logged_in=1* to the end of the URL 
> and they will have access. While this may seem obvious, it is an 
> extremely common problem with PHP scripts.
>
> The best way to prevent this is to always make sure variables are 
> declared before they are used. For this example, you can just add the 
> following line at the top of the file:
>
> $logged_in = 0;
>
> Now the variable cannot be reset by a user since it is being declared 
> before use.
>

In other words, the easiest way to use a variable in php is to just 
start using it, no declaration required, and as far as php is concerned, 
whether you initialize it is up to you.  But from a security perspective 
the two cases are very different.

This might have changed since then, too.

I might have had other gripes, but it is possible I saw this and said: 
what a dangerous language and moved on.

-kb