[Discuss] Small website, non-technical users: Joomla, Drupal, or WordPress? (Solved)
Kent Borg
kentborg at borg.org
Wed Jan 8 10:02:14 EST 2014
On 01/08/2014 12:35 AM, Eric Chadbourne wrote:
> What do you mean by variables being public to the internet? Nobody
> can directly access them from what I understand. Sanitize in and out
> you should be fine no?
I don't remember the details, and I only just glanced at php, a long
time ago.
Googling about a bit I think it might have been something like the
problem described here
http://www.dagondesign.com/articles/writing-secure-php-scripts-part-1/
>
>
> Securing your variables
>
> In most versions of PHP, you can access the value of a variable before
> it is initialized. Consider this simple example:
>
> if ($password == $the_password) {
> $logged_in = 1;
> }
> if ($logged_in == 1) {
> // secure stuff
> }
>
> All a visitor has to do is add *?logged_in=1* to the end of the URL
> and they will have access. While this may seem obvious, it is an
> extremely common problem with PHP scripts.
>
> The best way to prevent this is to always make sure variables are
> declared before they are used. For this example, you can just add the
> following line at the top of the file:
>
> $logged_in = 0;
>
> Now the variable cannot be reset by a user since it is being declared
> before use.
>
In other words, the easiest way to use a variable in php is to just
start using it, no declaration required, and as far as php is concerned,
whether you initialize it is up to you. But from a security perspective
the two cases are very different.
This might have changed since then, too.
I might have had other gripes, but it is possible I saw this and said:
what a dangerous language and moved on.
-kb
More information about the Discuss
mailing list