In PHP 4.2, they canceled that old practice! As I will explain in this article, the purpose of making such a change is for security reasons. We'll look at the new approach to PHP when it comes to processing form submissions and other data, and explain why doing so can improve the security of your code.
What's wrong here?
Take a look at the following PHP script, which is used to grant access to a Web page when the username and password are entered correctly:
Copy CodeThe code is as follows:
Check User name and password
if ($username = = ' Kevin ' and $password = = ' secret ')
$authorized = true;
?>
Please enter your username and password:
OK, I believe about half of the readers will disdain to say "too foolish-I will not make such a mistake!" "But I promise a lot of readers will think," Hey, no problem, I will write it! "Of course there will be a few people who will be confused about this question (" What is PHP?) ”)。 PHP is designed as a "good and easy" scripting language, and beginners can learn to use it in a short period of time, and it should also be able to prevent beginners from making mistakes.
Back to the question, the problem with the code above is that you can easily get access to the right, without having to provide the correct user name and password. Only add the last authorized=1 to the address bar of your browser. Because PHP automatically creates a variable for each committed value-whether it comes from a submitted form, a URL query string, or a cookie-which sets $authorized to 1, an unauthorized user can also break the security limit.
So, how to solve this problem simply? Just set the $authorized default to False at the beginning of the program. There's no such thing as a problem! $authorized is a variable created entirely in program code, but why should developers worry about the variables submitted by each malicious user?
What changes have been made to PHP 4.2?
In PHP 4.2, the register_globals option in the newly installed PHP is turned off by default, so the Egpcs value (egpcs is environment, Get, Post, cookie, server abbreviation- This is the entire range of external variable sources in PHP and is not created as a global variable. Of course, this option can also be turned on manually, but PHP developers recommend that you turn it off. To implement their intentions, you need to use other methods to get these values.
Starting with PHP 4.1, the Egpcs value can be obtained from a specified set of arrays:
$_env--Contains system environment variables
$_get--Contains the variables in the query string, and the variables in the form where the method is GET is submitted
$_post--A variable in a form that has a submit mode of POST
$_cookie--Contains all COOKIE variables
$_server--Contains server variables, such as Http_user_agent
$_request--Contains all the contents of $_get, $_post and $_cookie
$_session--Contains all registered SESSION variables
Before PHP 4.1, when developers turned off the register_globals option (which was also considered as a way to improve PHP performance), they had to use nasty names like $http_get_vars to get those variables. These new variable names are not only short, but they also have other advantages.
First, let's rewrite the code mentioned above in PHP 4.2 (that is, turn off the register_globals option):
Copy CodeThe code is as follows:
$username = $_request[' username ');
$password = $_request[' password ');
Check User name and password
if ($username = = ' Kevin ' and $password = = ' secret ')
$authorized = true;
?>
Please enter your username and password:
As you can see, all I need to do is add the following two lines to the beginning of the code:
$username = $_request[' username ');
$password = $_request[' password ');
Because we want the user name and password to be submitted by the user, we get these values from the $_request array. Using this array allows the user to freely choose how to pass through a URL query string (such as allowing users to automatically enter their certificate when creating bookmarks), through a submitted form, or through a cookie. If you want to restrict the submission of certificates only through forms (more precisely, through HTTP POST requests), you can use the $_post array:
$username = $_post[' username ');
$password = $_post[' password ');
There is no change in program code other than the introduction of these two variables. Simply turning off the register_globals option encourages developers to further understand what data is from external (untrusted) resources.
Please note that there is a small problem here: The default error_reporting setting in PHP is still E_all & ~e_notice, so if the two values "username" and "password" are not committed, try to $_request an array or Getting these two values in the $_post array does not incur any error messages. If your PHP program requires strict error checking, you will need to add some code to check these variables first.
But does that mean more input?
Yes, in simple programs like the above, using PHP 4.2 often increases the amount of input. But look at the bright side-your program is safer after all!
But seriously, the PHP designers don't completely ignore your pain. There is a special feature in these new arrays that other PHP variables do not have, and they are full global variables. How is this going to help you? Let's start by expanding our example.
To enable multiple pages in the site to use username/password justification, we write our user authentication program to an include file (protectme.php):
Copy CodeThe code is as follows:
function Authorize_user ($authuser, $authpass)
{
$username = $_post[' username ');
$password = $_post[' password ');
Check User name and password
if ($username! = $authuser or $password! = $authpass):
?>
Please enter your username and password:
Exit ();
endif
}
?>
Now, the page we just looked at would look like this:
Copy CodeThe code is as follows:
Require (' protectme.php ');
Authorize_user (' Kevin ', ' secret ');
?>
It's simple, it's clear, right? Now is the time to test your eyesight and experience-what is missing from the Authorize_user function?
There is no declaration in the function that $_post is a global variable! In PHP 4.0, when Register_globals is turned on, you need to add a line of code to get the $username and $password variables in the function:
function Authorize_user ($authuser, $authpass)
{
Global $username, $password;
...
In PHP, unlike other languages with similar syntax, variables outside the function are not automatically available in the function, and you need to add a line as described above to specify that it comes from the global scope.
In PHP 4.0, when Register_globals is turned off to provide security, you can use the $http_post_vars array to get the value of your form submission, but you still need to import the array from the global scope:
function Authorize_user ($authuser, $authpass)
{
Global $HTTP _post_vars;
$username = $HTTP _post_vars[' username ');
$password = $HTTP _post_vars[' password ');
However, in PHP 4.1 and later versions, special $_post variables (and other variables mentioned above) can be used in all scopes. This is why it is not necessary to declare in the function that the $_post variable is a global variable:
function Authorize_user ($authuser, $authpass)
{
$username = $_post[' username ');
$password = $_post[' password ');
What effect does this have on the session?
The introduction of a special $_session array actually helps to simplify the session code. You do not need to declare the session variable as a global variable, and then notice which variables are registered, and you can now simply refer to all of your session variables from $_session[' varname '].
Now let's take a look at another example of user authentication. This time, we use sessions to flag a user who continues to stay on your website and has been authenticated by the user. First, let's take a look at PHP version 4.0 (open register_globals):
Copy CodeThe code is as follows:
Session_Start ();
if ($username = = ' Kevin ' and $password = = ' secret ')
{
$authorized = true;
Session_register (' authorized ');
}
?>
As in the beginning of the program, the program also has a security vulnerability, at the end of the URL add? authorized=1 can bypass security to directly access page content. Developers can see $authorized as a session variable and ignore the ability to easily set the same variables through user input.
When we add our special array (PHP 4.1) and close register_globals (PHP 4.2), our program will be like this:
Copy CodeThe code is as follows:
Session_Start ();
if ($username = = ' Kevin ' and $password = = ' secret ')
$_session[' authorized ') = true;
?>
Is it more simple? You no longer need to register the normal variable as a session variable, you only need to set the session variable directly (in the $_session array), and then use it in the same way. The program gets shorter and does not cause confusion about what variables are session variables!
Summarize
In this article, I explained the underlying reasons for the PHP scripting language to make a change. In PHP 4.1, a special set of data was added to access external data. These arrays can be called in any scope, making it easier to access external data. In PHP 4.2, register_globals is turned off by default to encourage the use of these arrays to prevent inexperienced developers from writing unsafe PHP code.
How do I know if I've never tried?
http://www.bkjia.com/PHPjc/325028.html www.bkjia.com true http://www.bkjia.com/PHPjc/325028.html techarticle in PHP 4.2, they canceled that old practice! As I will explain in this article, the purpose of making such a change is for security reasons. We will study PHP in ...
