| 鋁門窗規劃、施工,經驗豐富 服務嚴謹、保固完善,免費估價,歡迎洽詢 |  | 專業的施工團隊,新屋裝潢 舊屋裝修,套房規畫,室內裝修申請,完工保固 |
| 鋁門窗規劃、施工,經驗豐富 服務嚴謹、保固完善,免費估價,歡迎洽詢 | | 專業的施工團隊,新屋裝潢 舊屋裝修,套房規畫,室內裝修申請,完工保固 |
register_globals 詳解 |
| 房東:阿亨 發表時間:2007-03-21 |
################################################# # 作者 fiend 轉貼請註明文章出處 # 文章出處 : http://www.twbb.org ################################################# 這是 php 的一項很致命傷的漏洞 初學php的人 必需先建立好這個關念 不然很容易讓自己寫好的系統被攻擊. ... 替大家做個解說好了 : In PHP 4.2.0 and later, the default value for the PHP directive register_globals is off. This is a major change in PHP. Having register_globals off affects the set of predefined variables available in the global scope. For example, to get DOCUMENT_ROOT you'll use $_SERVER['DOCUMENT_ROOT'] instead of $DOCUMENT_ROOT, or $_GET['id'] from the URL http //www.example.com/test.php?id=3 instead of $id, or $_ENV['HOME'] instead of $HOME. From version 4.1.0 onward, PHP provides an additional set of predefined arrays containing variables from the web server (if applicable), the environment, and user input. These new arrays are rather special in that they are automatically global--i.e., automatically available in every scope. For this reason, they are often known as 'autoglobals' or 'superglobals'. (There is no mechanism in PHP for user-defined superglobals.) The superglobals are listed below; however, for a listing of their contents and further discussion on PHP predefined variables and their natures, please see the section Reserved Predefined Variables. Also, you'll notice how the older predefined variables ($HTTP_*_VARS) still exist. As of PHP 5.0.0, the long PHP predefined variable arrays may be disabled with the register_long_arrays directive. 大家可以找一下 php.in : variables_order = "EGPCS" Set the order of the EGPCS (Environment, GET, POST, Cookie, Server) variable parsing. The default setting of this directive is "EGPCS". Setting this to "GP", for example, will cause PHP to completely ignore environment variables, cookies and server variables, and to overwrite any GET method variables with POST-method variables of the same name. 什麼是 EGPS 呢 : 這個設定是用來控制 post get cooie 伺服器變數 等環境變數 讓 php 以順序的方式來定義它們 . 而 PCS 呢 : 則是 後來的環境變數可以蓋過之前的變數 . 哈... 大家聽完有點亂亂的吧 . 簡單來說就是 pcs 會造成 假設第一個post 進來的 變數值 可以 蓋過 get 的變數值 換言之 第一個是 get 時 那 第二個 post 也可以取代掉它 . 嘿嘿 ,, 這樣的話 我就可以 用 sql injection 來攻擊系統 比起 egps 的方式用 可以 全方位的使用隱碼攻擊 . 而 register_globalls 關閉的話 它會讓 egps 變成 全域變數 , 這表示 使用者可以任意的假造變數增加 系統更高的安全風險. 而 $HTTP_GET_VARS[""] 則是 開 啟 track_vars 則 egps 變數 就可以給 $HTTP_GET_VARS[""]使用 If enabled, then Environment, GET, POST, Cookie, and Server variables can be found in the global associative arrays $_ENV, $_GET, $_POST, $_COOKIE, and $_SERVER. Note that as of PHP 4.0.3, track_vars is always turned on. |
|
|
廣利不動產-新板特區指名度最高、值得您信賴的好房仲 您的托付,廣利用心為您服務 廣利不動產-板橋在地生根最實在--新板特區指名度最高、值得您信賴的好房仲 完整房訊,房屋、店面熱門精選物件,廣利不動產 優質仲介,房屋租賃、買賣資訊透明,交易真安心! |
| 姓名: | |||
| 佈告內容: | |||
| 其他選項: | |||
|
| |||