Reply to Re: [PHP] PHP 5 Strings are References?!

Your name:

Reply:


Posted by Richard Lynch on 04/06/05 08:21

On Wed, March 30, 2005 6:48 am, Jochem Maas said:
>>> I don't really think that's relevant, however, as PHP is storing $name
>>> back *IN* to my $_SESSION data, just because I did:
>>> $name = $_SESSION['name'];
>>> $name = "Fooey";
>>>
>>> $name is a STRING.
>>>
>>> It's not an object.
>>>
>>> It should *NOT* be a Reference!
>>>
>>> But it is a Reference, so changing $name alters $_SESSION['name']

Perhaps I'm being overly paranoid...

Consider the following, however.

Fact: One should not trust $_GET data, and should scrub it.

Fact: I'm on a shared server.

Fact: By definition, if *my* PHP script can read my session data, so can
*another* user's script on that server.

Thus, I had intended to 'scrub' session data with things like:

<?php
session_start();
$name = $_SESSION['name'];
$name = preg_replace('/[^A-Za-z \',\\.-]/', $name);
if ($name != $_SESSION['name']){
// assume they are Bad People.
}
?>

Needless to say, this isn't gonna do crap with this bug in PHP 5.0.3
making strings into references.

For the short term, I'm trusting session data (but not GET/POST, duh).

I suspect I could do:
$name = '' . $_SESSION['name'];
or somesuch to force the string to not be a reference.

But PHP doesn't *HAVE* strings as references.

I filed a bug report, but sniper's response was pretty much the same
auto-response "register_globals"

OTOH, he said it was fixed in CVS, so I guess it was only in 5.0.3???

Am I over-reacting?

I don't think so.

It's a nasty little bug that will completely bypass security measures to
scrub SESSION data, as described above.

I haven't really probed into this, to see how far / long the "reference"
nature of the string extends.

Perhaps the preg_replace would create a copy of the string... Or not. Or
maybe it would depend on if anything got replaced or not. Or...

Sorry to reply so late, but I've been a tad busy lately, and just caught
up on PHP-General tonight. [looks at watch] Errr, make that this
morning, I guess. :-v

--
Like Music?
http://l-i-e.com/artists.htm

[Back to original message]


Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация