I would like to prevent php scripts from being able to modify the contents of the $_SERVER global.
Specifically I don't want to allow
unset $_SERVER['foo'];
but it would be nice to forbid any modification, e.g. a module or php.ini declaration.
Is there one?
If you're in control of the root level script you could just copy it:
$_my_server = $_SERVER;
I think it would be helpful to know your reason for this; the $_SERVER variable shouldn't be modified by included scripts, because there's rarely a reason for someone to need to modify it. It's generated at run-time so any changes aren't persisted to subsequent runs of the script.
Also your extra point about php.ini declarations is a bit more confusing - the point of many componentes of $_SERVER is to inform scripts about those declarations, so having it send fake data would seem a very odd use case and maybe not possible.
Not as far as i'm aware.
If you are relying on the contents of $_SERVER throughout you code, and dont want other code (plugin?) to modify it, your best option is to make a copy during the bootstrap stage of your application, then use that copy throughout your code:
$serverDetails = $_SERVER;
$foo = $serverDetails['foo'];
Related
This question already has answers here:
PHP include() with GET attributes (include file.php?q=1)
(7 answers)
Closed 8 years ago.
What are the security implications of passing a get variable through an include?
Example:
index.php:
$lastname = $pulleddatabasevalue;
include "../includes/header?lastname=$lastname";
header.php:
echo $_GET["lastname"];
As the variable is dynamic, I have struggled to make include() or sessions work to assign the variable $lastname with the database value within the php include. However, $_GET here has worked fine. It doesn't show up on the browser address bar, thus can't be manipulated in a hostile manner there. Is there another way someone with malicious intent could work this code? Assume that the include directory is locked and I'm only referring to index.php.
Sorry, no way to pass get parameters to included file... See:
PHP include() with GET attributes (include file.php?q=1).
Include is a strict let's name it "Physical function". To make a get request, you must make a request. Include just read the file from the server.
BTW. I'm curious, how it is possible, you made it work. I think there is some misunderstood in your code.
You should think about include, as a COPY PASTE function.
In that case:
$var = true;
include ('include.php');
include.php:
var_dump($var);
should echo bool(true).
Hope it helps.
When talking about security issues, as far as I'm concerned, include in the way I describe, should not create any new security holes. But you should check all the permissions of included files, to be 100% sure.
The security implications of outputting user supplied input is the same no matter how it is done: ESCAPING AND VALIDATION IS ESSENTIAL! Otherwise you are implementing big security holes.
Apart from that, there isn't any difference whether you directly access $_GET, or first stuff that value into another variable and access that inside your include.
The only difference is of general software maintenance: The former usually is considered bad because it is access to a global variable, while the latter might be part of a function call and might encapsulate the variable name better.
Your code, however, is wrong. You cannot pass query parameters as part of the filename. It works because $_GET is available as an array everywhere without any further code (read "superglobal variable" in the PHP documentation).
Keep it simple and don't confuse...
index.php
$lastname = $pulleddatabasevalue;
include "../includes/header.php";
header.php
echo $lastname;
External refs. and recommended read:
http://www.php.net/manual/en/function.include.php
http://www.php.net/manual/en/reserved.variables.get.php
This is a newbie question, and I know it.
Template structure is your usual index.php, with a few require_once()'s for the header/footer etc.
I define a var at the top of index.php before any of the require_once()'s for the base url, such as $url = 'http://url';
I then want to echo this out into all template files, header/index/footer etc, it works inside index.php as expected, but fails with a undefined var in all template files that are included in.
I know it's a var scope issue, but I'm totally perplexed how to fix it.
I'm aware that the manual says vars are available to included files, however they aren't. Could it be a issue with my local PHP install?
edit : Created a couple of test files, and a var is defined between 2 files, so why are they not working on my main site files?
Any helps gracefully recieved.
Many Thanks
if you use functions or methods (functions in classes) then you need to do global $variable inside the function. Otherwise you will not have access to it, you also could define it as constant. A constant is always global.
define('MYURL', $url);
You might want to use a PHP framework, if you not already do so.
I got a piece of code:
$_SESSION['cms_lang'] = 2;
global $cms_lang;
$cms_lang[1] = 'en';
Error:
Cannot use a scalar value as an array
Problem is that, I really don't know why server sees my global variable as the same as $_SESSION variable. I used this piece of code a couple of times and never had problem with that. I guess it must depends of settings on server. Can anyone know how to force server to not take global and session variables with the same name as the same?
You may read up on the PHP configuration setting register_globals which enables this behavior.
Also, read about why you should disable it (and generally, upgrade your PHP version!)
I was wondering if it possible to add constants to php before any scripts are ran, thus on startup. If this is possible, could it be done with classes etc aswell?
I was thinking in the direction of creating a plugin for php but maybe there is a way simpler way.
I don't mean including a file in every script.
thanks in advance
Not constants as far as I'm aware, but this is ok:
.htaccess
SetEnv MYVAR "hello"
somefile.php
echo $_SERVER['MYVAR'];
See the Apache docs on SetEnv for more.
To directly answer the question, there are two approaches:
Use auto_prepend_file to auto include a PHP file that has define calls.
Configure your web server to set server variables.
I think the second is a better approach. However, I don't see how either of them are very useful in the context of a plugin. Usually a class autoloader of some sort is the way to go there, or to require a single include file.
If I understand your question correctly, what I do is to include a file before all else on my index.php. That same file contains tons of constants, control verifications, initialization for the DB object, etc...
e.g.,
INSIDE index.php
<?php
$moduleRoot = dirname(__FILE__);
require_once($moduleRoot."/components/inc/inc.php");
// continue to render the web page and perform as usual
?>
INSIDE THE inc.php
// When in development, all errors should be presented
// Comment this two lines when in production
error_reporting(E_ALL);
ini_set('display_errors', '1');
// Website id for this project
// the website must be present in the table site in order to get
// the configurations and records that belong to this website
define("CONF_SITE_ID",1);
// Domain path where the project is located
// Should be like the access used on the browser
$serverDomain = $_SERVER["HTTP_HOST"];
$serverAccess = (!empty($_SERVER['HTTPS'])) ? ('https://') : ('http://');
$serverRoot = dirname(__FILE__);
define("CONF_DOMAIN", $serverAccess.$serverDomain);
// etc ...
EDITED
Since you have multiple "startup" files and you need all of them to call inc.php, the best choise seems to be .user.ini as of PHP 5.3.0, you can read about it here!.
And an article on the subject.
I've been doing PHP for a while now, never needed assistance, but totally confused this time. I have a single line of code with one echo statement.
Problem: URL parameters are automatically assuming PHP variable values of the same name. For example, I have a URL with a parameter named var_name like this:
http://www.example.com?var_name=abc123
and a 1-line PHP script with a variable named var_name, like this:
echo $var_name;
then I get output on the page of: abc123
This is the only code in the PHP page! This behavior is exactly how I expect $_GET to work, but I'm not using it.
I am having this problem only on 1 specific server, which is running PHP 5.2. I have tested on 4 other servers, none have this behavior. I assume it's a PHP config issue, but running default config and can't find anything in config documentation.
This is called register globals. If a server has register globals turned on, then you can do this.
I would recommend not to have register globals on any server. Since it can introduce a security flaw in your system.
An example of a security flaw with this.
if($auth == true)
{
// sensitive stuff here
}
If auth is just a regular variable, then I can do this in the URL.
http://www.example.com/page.php?auth=true
And see the sensitive information.
You probably have register_globals enabled:
See the manual for info.