Example 15-16. Detecting simple variable
poisoning
<?php
if (isset($_COOKIE['MAGIC_COOKIE'])) {
// MAGIC_COOKIE comes from a cookie.
// Be sure to validate the cookie data!
} elseif (isset($_GET['MAGIC_COOKIE']) || isset($_POST['MAGIC_COOKIE']))
{
mail("admin@example.com", "Possible breakin
attempt", $_SERVER['REMOTE_ADDR']);
echo "Security violation, admin has been alerted.";
exit;
} else {
// MAGIC_COOKIE isn't set through this REQUEST
}
?>
Of course, simply turning off register_globals does not
mean your code is secure. For every piece of data that is
submitted, it should also be checked in other ways. Always
validate your user data and initialize your variables! To
check for unitialized variables you may turn up error_reporting()
to show E_NOTICE level errors.
Superglobals: availability note: Since PHP 4.1.0, superglobal
arrays such as $_GET , $_POST, and $_SERVER, etc. have been
available. For more information, read the manual section
on superglobals
|
