Is this possible without a debugger?
I mean, we have $_POST, $_GET, $_SESSION, etc. I'm looking for something like $_CURRENT_VARS
$GLOBALS contains all global variables. Or you use get_defined_vars().
well, it's overkill, but you can call phpinfo() to display (essentially) everything.
Related
I use global variables on my website such GET,POST,FILES,SESSION. I wrote my website on a server where register_globals is on. And i just moved my website to another server where register_globals is off and i actually do not know how to deal with it.
For exmaple, i have this code:
$do = $_GET['do'];
or
$name = $_POST['name'];
How i understood, i can not do this, php can't extract this data. How can i change my code to receive data from GET,POST,SESSION,FILES?
Thank you
You misunderstand. $_GET & co are superglobals which are always available and cannot be disabled, your code will always work.
register_globals makes those $_GET values directly available as variables. I.e. instead of $_GET['do'] you could use $do.
This is the proper way to access the vars and works with register_globals_gpc = off:
$do = $_GET['do'];
If register_globals_gpc = on the $_GET would automatically be extracted and this would work:
echo $do;
So if you are doing it the way you show then all is well. $_GET, $_POST, $_COOKIE, as well as $_SERVER and $_SESSION are already superglobal and available anywhere.
The quick and easy way would be using extract function.
extract($_POST);
extract($_GET);
extract($_COOKIES);
But this is VERY VERY VERY BAD from security and maintainablity aspect! You should rewrite the code, if possible, to:
$variable = $_POST['variable'];
..
when I googled this issue and open the very first serch result it gave me the solution. Try this, Hope it will work for you
I recently took a dive into wordpress, and I noticed something really unusual, When coding I noticed that a particular variable called the $post variable was available for me to manipulate whenever I need it, as along as my page is within the wp-includes, wp-themes or wp-plugins folder without me calling any external page or function.
So I started developing a site without wordpress hoping to understand the mystery behind that anomaly..
I would appreciate all help on making me understand this phenomenon. I would like to use such technique in building sites. Thanks...
That's not an anomaly. That variable is present in global scope and is being defined in either of the files that you have mentioned. You can easily do it like
include.php
<?php
$myGlobal="Testing";
?>
anyfile.php
<?php
include "include.php";
echo $myGlobal;
?>
And you can use it in your functions as well, as long as you refer to the global one, for example
anotherfile.php
<?php
include "include.php";
function test()
{
global $myGlobal;
echo $myGlobal;
}
test();
?>
Theory
The scope of a variable is the context within which it is defined. For the most part all PHP variables only have a single scope. This single scope spans included and required files as well
By declaring (a variable) global within the function, all references to either variable will refer to the global version. There is no limit to the number of global variables that can be manipulated by a function.
Go through this PHP Doc once and you will have much better idea of how it all works.
Take a look at global variables:
http://php.net/manual/en/language.variables.scope.php
and superglobal as well:
http://www.php.net/manual/en/language.variables.superglobals.php
php.ini
register_globals = on
$post
$get
will be available anywhere
I use assign like this :
$smarty->assign("akakak", $_POST[do]);
it's work in some cases but it isn't work in some cases
when I add this parameter
$smarty->assign("akakak", $_POST[do], true);
it's always work
Why ?
You should check or set a default value:
<?php
//Check it or set default for $do
$do=(isset($_POST['do']))?$_POST['do']:'';
//Assign the $smarty var with $do
$smarty->assign("akakak", $do);
?>
Assigning the values of superglobals ($_GET, $_POST, $_REQUEST, $_SESSION, $_COOKIE, $_SERVER, $_ENV) is redundant. You can access any of these within a template through the {$smarty} variable, in your case {$smarty.post.do}.
The following is true for Smarty3:
The third argument to assign() is the nocache flag. For more information on this, see cacheability of variables. If this actually solved your problem, your real problem lies with your caching. You likely have $smarty->caching = true; set, in which case the template is not rendered on every invocation, but read from cache if possible.
If you need further assistance, you may want to elaborate on the failing cases.
Aside from that, please have a close look at the other comments suggesting $_POST['do'] over $_POST[do] and the use of isset() or empty() where applicable.
I know SUPERGLOBAL variables are associative arrays available in any scope throughtout the script and according to the following excerpt from a post (http://www.sitepoint.com/forums/showthread.php?68618-PHP-global-and-superglobal)
Excerpt:
the difference between "global" and "superglobal" is that a global variable is defined at the top level, but is not initially accessible inside a function, whereas a superglobal is automatically available anywhere within the code.
Now the text i am referring to says (about NATIVE PHP SESSIONS):
PHP creates its SID whenever you use the session_start() function, and also by default if you use certain other session-related functions, such as session_register(). The value of SID is kept in a global variable name PHPSESSID.
Now I am not sure as to how PHPSESSID is accessible. Is it simply $phpsessid or $_SESSION['PHPSESSID'].
Please clear this for me.
I am sure there is no $_SESSION['PHPSESSID'] nor $phpsessid. Maybe $phpsessid exists if register_globals are on.
In order to obtain your session id you can either use $_COOKIE['PHPSESSID'] or session_id(). You can check the documentation.
I am not a PHP developer but I'm assessing the security of a PHP5 application.
The author relied on extract($_POST) and extract($_GET) in some places, outside of functions.
My suggestion is to call extract($_POST, EXTR_PREFIX_ALL, 'form') and change the code accordingly, but his stance is that any variable is being redefined inside subsequent includes anyway.
I can easily change the superglobals by providing, for instance, _ENV=something inside the post values, but superglobals are arrays and I'm turning them into strings, I'm not sure it can have evil effects.
I could have a look at the several isset() uses and go backwards from there.. but I imagine there are attacks of this kind that don't require knowledge or divination of the source.
Is there some interesting variable to be set/changed, maybe in the innards of PHP?
Thanks
For assessing "might" try this:
File:htdocs/mix/extraction.php
<?php
extract($_GET);
var_dump($_SERVER);//after extract
?>
and call it like that:
http://localhost/mix/extraction.php?_SERVER=test
After the extract on my Xampp the output looks something like that:
string(4) "test"
If any one knows anything about your variable naming and you use extract on $_POST or $_GET globals, then you have a serious problem.
With a bit of time and work it would be possible to find out some namings by try and error.
Without knowing your source an intruder could try to hijack any global variabl like $_SESSION (but here it will only take any effect if you do the session_start(); before the extract($_GET), $_COOKIE or $_SERVER and even set specific values for them like that:
//localhost/mix/extraction.php?_SERVER[HTTP_USER_AGENT]=Iphone
If you use extract like that:
extract($var,EXTR_SKIP);
extract($var,EXTR_PREFIX_SAME,'prefix');
extract($var,EXTR_PREFIX_ALL,'prefix');
then you will be perfectly safe.
A common name for the database connection is $db, but that would just blow up the system, you can overwrite the $_SESSION variable.
session_start();
$_SESSION['test'] ='test';
var_dump($_SESSION);
$vars = array("_SESSION" => 'awww');
extract($vars);
var_dump($_SESSION);
output
array(1) {
["test"]=>
string(4) "test"
}
string(4) "awww"
Overwrite variables $idUser or other fun stuff, want to mess up the iterables?
Pass array('i' => 5) to extract, there are all sorts of fun you can have depending on scope.
Edit:
I just thought of another, if the form is handeling file uploads, why not try and overwrite variables named $file, $fileName, $fileExtention and see if you can get it to read files outside your permission level.
I'm not aware of any universal exploitability.
Anyway, it definitely is awfully bad practice.
What the script's author is saying is that the script's security relies on him not forgetting anything in the subsequent includes, which is horrible.
For strong general arguments against global extract()ing, see What is so wrong with extract()?