Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 7 of 7
  1. #1
    Regular Coder
    Join Date
    Feb 2007
    Location
    London
    Posts
    225
    Thanks
    16
    Thanked 2 Times in 2 Posts

    Is this secure? If not, are 'session variable variables' possible?

    I think I covered myself security-wise, but want to see if there's a hole anyone can point out.

    I'm restricting access to certain pages when user not logged in. Part of the security config looks like this: (The numbers, e.g. "01_01" refer to chapters and subchapters).

    PHP Code:
    if ($_SESSION['logged_in'] == "no") {
            
    $secure_01_01 0;
            
    $secure_01_02 0;
            
    $secure_01_03 0;
            
    $secure_01_04 0;
            
    $secure_02_01 1;
            
    $secure_02_02 1;
            
    $secure_02_03 1;
            
    $secure_02_04 1;
            
    $secure_03_01 0;
            
    $secure_03_02 1;
            
    $secure_03_03 1;
            
    $secure_03_04 1;
        } 
    I then create the variable $restricted_access, with the predefined page-specific $chapter and $subchapter:

    PHP Code:
    $restricted_access "secure_".$chapter."_".$subchapter
    and then...

    PHP Code:
    if ($$restricted_access != 1) {
       
    display page;
    } else {
       
    dont!

    Can $$restricted_access be expressed as a SESSION variable variable? I'd feel happier if it were. But is that even necessary?

    Aargh, I'm out of my depth here.

  • #2
    Regular Coder meth's Avatar
    Join Date
    Jan 2003
    Posts
    262
    Thanks
    0
    Thanked 9 Times in 9 Posts
    From php.net:

    "Warning: Please note that variable variables cannot be used with PHP's Superglobal arrays within functions or class methods. "

    So no, a $_SESSION (a superglobal) cannot be a var var.
    I do Web Design, Brisbane based.
    More time spent in PHP/MySQL Web Development.
    And Search Engine Optimisation takes up the rest of it.

  • #3
    Regular Coder
    Join Date
    Feb 2007
    Location
    London
    Posts
    225
    Thanks
    16
    Thanked 2 Times in 2 Posts
    Thanks Meth,

    I must have missed that 'warning'! - But I suspected that was the case.

    So, any feedback on whether my approach is flawed?
    :-)

  • #4
    Super Moderator
    Join Date
    May 2002
    Location
    Perth Australia
    Posts
    4,073
    Thanks
    11
    Thanked 98 Times in 96 Posts
    Quote Originally Posted by meth View Post
    From php.net:

    "Warning: Please note that variable variables cannot be used with PHP's Superglobal arrays within functions or class methods. "

    So no, a $_SESSION (a superglobal) cannot be a var var.
    and a good job as well else page.php?restricted_access=1 might allow you access if register_globals were turned on.

    If you make your session an array
    PHP Code:
    <?
    $_SESSION
    ['my_access']=array(
    'C1_S1'=>1,
    'C1_S2'=>0,
    /*etc*/
    );
    ?>
    then you can simply check for that array value ...
    <?
    $chk 
    "C".$chapter."S".$subchapter;
    if(isset(
    $_SESSION['my_access'][$chk]) && $_SESSION['my_access'][$chk]!=1){
       
    header("Location: unauthorised.htm");
    }
    ?>
    or similar;
    even with the above.. depending on where $chapter and $subchapter come from, that may still be exploitable on a server with register_globals turned on, but that would depend on the rest of your code.

    Edit: typo off to on !
    Last edited by firepages; 08-07-2007 at 02:39 AM.
    resistance is...

    MVC is the current buzz in web application architectures. It comes from event-driven desktop application design and doesn't fit into web application design very well. But luckily nobody really knows what MVC means, so we can call our presentation layer separation mechanism MVC and move on. (Rasmus Lerdorf)

  • #5
    Regular Coder
    Join Date
    Feb 2007
    Location
    London
    Posts
    225
    Thanks
    16
    Thanked 2 Times in 2 Posts
    Thanks so much for that erudite response. I'll implement that code immediately. :-)

    Regarding session variable variables making abuse possible even with register globals off, I pondered the idea for a good five minutes before seeing what you meant, and then laughed out loud!

    One follow up question:

    $chapter and $subchapter are definied at the beginning of each page, but are never related to any user input, cookies, $_POST etc.

    Does that mean that with register globals turned off, there are no security risks, or am I being naïve? I think I understand that no variables can be manipulated or taken advantage of in any way so long as they remain in php code that can't be visible to a user (I.e. which you don't $_GET, for example). Am I right?

  • #6
    Super Moderator
    Join Date
    May 2002
    Location
    Perth Australia
    Posts
    4,073
    Thanks
    11
    Thanked 98 Times in 96 Posts
    Sorry edited my post ...I had globals off when I meant on !

    register_globals off does not automagically make code safe but it does remove a few gotchta's , but personally I think the best way forward is to assume that register_globals might be on or off and assume you have no control of that setting... even if you do.

    Any uninitialized variables are targets for injection , testing with error_reporting(E_ALL) will show you all those uninitialized variables giving you an E_NOTICE (or is it an E_WARNING?) , either way you can then decide if thats an issue or not.

    To answer... in your example if $chapter and $subchapter are defined in each page with no reference to user input then there is no way for anyone to rewrite them.
    resistance is...

    MVC is the current buzz in web application architectures. It comes from event-driven desktop application design and doesn't fit into web application design very well. But luckily nobody really knows what MVC means, so we can call our presentation layer separation mechanism MVC and move on. (Rasmus Lerdorf)

  • Users who have thanked firepages for this post:

    cfructose (09-14-2007)

  • #7
    Regular Coder
    Join Date
    Feb 2007
    Location
    London
    Posts
    225
    Thanks
    16
    Thanked 2 Times in 2 Posts
    Got it. Thanks :-)


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •