Zend Certified Engineer

phpguru.org

Free PHP, Javascript and C# code
Home ~ Downloads ~ FAQs ~ Search ~ Licensing ~ Forums

Blog Categories

[Index] [Popular]

Me

Recent comments

Articles

PHP5

PHP4

Javascript

C#

More on cleaning input data


3rd July 2005, 972 views

When you code with register_globals and magic_quotes_gpc off, it's easy to forget that some people do actually use them. Subsequently it's quite easy to inadvertently introduce vulnerabilities into your code when it's used on such a platform. The following code can be dropped into your app, into a common include for example, to fix this. Simply call dispelGlobals() and dispelMagicQuotes() and stop worrying.

<?php
/**
* Get rid of register_globals crapola
*/
function dispelGlobals()
{
    if (ini_get('register_globals')) {
        foreach ($_REQUEST as $k => $v) {
            unset($GLOBALS[$k]);
        }
    }
}


/**
* Get rid of magic_quotes crapola
*/
function dispelMagicQuotes()
{
    if (ini_get('magic_quotes_gpc')) {
        foreach (array('_GET', '_POST', '_COOKIE') as $super) {
            foreach ($GLOBALS[$super] as $k => $v) {
                $GLOBALS[$super][$k] = stripslashes_r($v);
            }
        }
    }
}

/**
* Recursive stripslashes. array_walk_recursive seems to have great trouble with stripslashes().
*
* @param  mixed $str String or array
* @return mixed      String or array with slashes removed
*/
function stripslashes_r($str)
{
    if (is_array($str)) {
        foreach ($str as $k => $v) {
            $str[$k] = stripslashes_r($v);
        }
        
        return $str;

    } else {
        return stripslashes($str);
    }
}
?>

Top 10 referrering pages

  1. http://php.vrana.cz/vypnuti-magic_quotes_gpc.php (5 referrals)
  2. http://forum.php.pl/index.php?showtopic=74876&st=... (3 referrals)
  3. http://forum.php.pl/index.php?s=01c5f1723930a9242... (2 referrals)
  4. http://www.google.co.id/search?hl=id&q=stripslash... (2 referrals)
  5. http://www.google.co.in/search?hl=en&q=ini_set+ma... (2 referrals)
  6. http://www.google.co.jp/search?sourceid=navclient... (2 referrals)
  7. http://www.google.co.nz/search?aq=f&hl=en&safe=of... (2 referrals)
  8. http://www.google.com/search?q=ini_set+magic_quot... (2 referrals)
  9. http://www.google.com/search?q=ini_set+magic_quot... (2 referrals)
  10. http://www.google.co.uk/custom?domains=www.phpgur... (2 referrals)
- +
Rate this article

Link to me

If you use any of the code on this site (and if you don't I guess) or it makes your life easier, I'd appreciate a link - http://www.phpguru.org. Thanks!

RSS Feed for Comments

Comments

Author: David
Posted: 3rd July 2005 17:59
What's wrong with ini_set("register_globals", 0) and ini_set("magic_quotes_gpc", 0)?
Quote
Author: Richard Heyes
Posted: 3rd July 2005 18:10
David:
> What's wrong with ini_set("register_globals", 0)
> and ini_set("magic_quotes_gpc", 0)?

It doesn't work, that's what.
Quote
Author: Julian Triber
Posted: 4th July 2005 04:06
Hey,
I already have something like your strip slashes function, but mine is an explicit call, and I run trim() while im stripping slashes, or just trim in the event that macgic quotes is not set.

I would also point out that dispellGlobals hides the real issue, uninitlized variables. If you set error_reporting(E_ALL | E_NOTICE); when you code your going to elimiate the problem rather than treating the symptom.
Quote
Author: Chris Shiflett
Posted: 4th July 2005 05:19
In Richard's defense, this has little to do with treating a symptom. Yes, you should develop with E_ALL or E_STRICT to be alerted to the use of uninitialized variables, but that doesn't mean it's fine to enable register_globals if you follow this practice.

A lot of security has to do with theory, and this is one of them. The principle of Defense in Depth tells us that redundant safeguards have value.

If you have a gas line in your house that has been known to leak, do you use a blowtorch around it? Do you try to make sure the leak is fixed? I'd suggest fixing the leak AND keeping blowtorches away. Defense in Depth.
Quote
Author: Allen Brooker
Posted: 4th July 2005 08:51
Richard Heyes:
> David:
> > What's wrong with ini_set("register_globals",
> 0)
> > and ini_set("magic_quotes_gpc", 0)?
>
> It doesn't work, that's what.
The actions caused by magic_quotes_gpc and register_globals (namely the escaping of quotes and the creation of variables respectively) happen before your script is called. Switching these off at runtime will not undo the actions caused by them.

Users should also be aware of magic_quotes_runtime and magic_quotes_sybase, which can be switched off at runtime (or alternatively, dealt with using a database wrapper).
Quote
Author: Brent O'Connor
Posted: 4th July 2005 15:46
The following is a method I use to stripslashes. I've used the php function array_map() if the variable is an array.

<pre>
<code>
/**
* Removes slashes in $this->_formDataArr added by magic quotes if magic quotes is turned on.
* @return void
*/
function removeSlashes() {
if (get_magic_quotes_gpc()) {
//var_dump($this->_formDataArr);
while (list($key,$value) = each($this->_formDataArr)) {
$value = is_array($value) ? array_map('stripslashes', $value) : stripslashes($value);
$this->_formDataArr[$key] = $value;
}
}
}

</code>
</pre>
Quote
Author: David Coallier
Posted: 12th July 2005 15:41
Here's another reason why not to use register_globals even though Stefan doesn't think the same, this is an example of what can happen.

http://www.hardened-php.net/index.37.html

But yeah.. that's the kind of vulnerability that comes with register_globals and allow_url_fopen

</regards>
-David
Quote
Author: Stefan Esser
Posted: 14th July 2005 23:31
While this code has already been fixed by Richy.

Time to clear up some misunderstandings.

a) People who say that this is just a line of defense and that it is better to switch of register_globals are totally wrong.

This code (in the fixed version) is the easiest way to fix the problem. PHP Applications have to be secure, no matter if the server is secure or not. Switching off register_globals on a few servers, does not kill the problem of unitialised variables on other servers.

This code (in the fixed form) however fixes the application. No matter if global variables where properly initialised or not, the application is finally rid of all future unitialised global variables problems.

b) an include problem like

include $GLOBALS['path']."/blah";

is not only exploitable with allow_url_fopen=on. There is still the possibility to read arbitrary files on the server with %00 attacks. There is still the problem of php://input in combination with %00 (I guess David Coallier has never heard of this) and yeah... as a last resort with allow_url_fopen you can directly include a remote url.

-Stefan
Quote
Author: Jakub Vrána
Posted: 16th September 2005 13:08
You should take care also of $_FILES[]['name'] which is addslashed() too.
Quote
Author: Marko
Posted: 22nd March 2006 15:06
Hi. Beautiful content and website design. Sorry for my english. I am from albania.
Quote
Author: Arik
Posted: 24th April 2006 09:54
Help to choose a videocamera. What standard to choose?
Quote
Author: Kolin
Posted: 8th May 2006 00:54
Hi! Do not prompt as me to send e-mail? = (
Quote
Author: Yakov
Posted: 20th May 2006 21:58
And that if to add on a site a history of creation of a site?
Quote
Author: Metod
Posted: 28th May 2006 14:28
Help to choose a videocamera. What standard to choose?
Quote

Post Comment

Your name:
Your email:
(Don't worry, I won't spam you. Also, if you do put your email address in here, you'll get notified of new comments. If you don't, you won't.)
Comments:
  Do not post support type questions please
 
CAPTCHA image If you can't read the CAPTCHA then press the submit button to get another. Your comment will re-appear (as if by magic...).
Captcha image
Home ~ Downloads ~ FAQs ~ Search ~ Licensing ~ Forums
© 2005-2008 Copyright Richard Heyes