ScriptPlazzaon Google+

PHP Constants and Variables can be Insecure if not used properly. Below is an example code that demonstrates how a script may be compromised when register_globals directive is turned ON. The example was taken from security.globals.php:

<?php
// define $authorized = true only if user is authenticated
if (authenticated_user()) {
    $authorized = true;
}

// Because we didn't first initialize $authorized as false, this might be
// defined through register_globals, like from GET auth.php?authorized=1
// So, anyone can be seen as authenticated!
if ($authorized) {
    include "/highly/sensitive/data.php";
}
?>
Source: http://pageconfig.com/post/insecure-php-constants-and-variables
 

Leave a Comment

You must be logged in to post a Review.