0

Possible Duplicate:
PHP global in functions

Using something like this worries me:

<? global $config; ?>

Let's say I store my DB connection and the salt I use for strings in my $config global.

Is there any chance that by now using:

<? global $config; ?>

I'll be having problems in the future?

If so, how could this be exploited?

Community
  • 1
  • 1
Dan Kanze
  • 18,485
  • 28
  • 81
  • 134
  • Why do you believe it could be exploited? – Oliver Charlesworth Jan 13 '12 at 23:39
  • Also, what do you mean by "the salt I use for strings"? Which strings? – Oliver Charlesworth Jan 13 '12 at 23:42
  • Is it possible that an attacker could obtain or use the DB information or salt in global $config to preform an attack? – Dan Kanze Jan 13 '12 at 23:42
  • Salt for passwords that end up in the database. – Dan Kanze Jan 13 '12 at 23:43
  • 1
    You should be using a different salt for each password, not one single salt. – Oliver Charlesworth Jan 13 '12 at 23:43
  • Obviously I use something like md5(sha1($username).$config['security']['salt'].sha1(password)); Thats not the point though. Can the attacker take advantage of a programmer declaring sensitive information in global $config? – Dan Kanze Jan 13 '12 at 23:46
  • 1
    Not nessecarily, but using MD5 to hash your passwords can. Use a real password hashing function. Edit: If an attacker can access things you declare in a global variable, he is already in. You should focus more on not letting any attacker's code execute on your server in the first place so this problem becomes irrelevant. – tangrs Jan 13 '12 at 23:49

2 Answers2

5

Short answer is no.

The global keyword simply makes that variable accessible to a function which would not normally have access to it. It does not make it accessible to outside scripts, that is purely a matter of whether the file itself it accessible or not.

Jacob Fike
  • 951
  • 6
  • 7
  • Yes understood. But let me widdle this down again. The global $config is contained within the function I'm using. – Dan Kanze Jan 13 '12 at 23:50
  • 1
    It doesn't matter. Code inside of your application is safe if the files containing them are safe. A hacker would have to actually be able to read the source files (in which case they can just read the passwords and such right in the files). They can't access the variables in a running script. **There is always a risk of SQL injection or other types of security flaws, but these are not directly related to the global keyword. – Jacob Fike Jan 13 '12 at 23:52
  • If the file containing the sensitive data is not accessible to the attacker and the attacker cannot execute his own code on your server, you should be mostly okay. Edit: beaten – tangrs Jan 13 '12 at 23:54
0

I'll be having problems in the future?

If so, how could this be exploited?

The problem with global variables is not that they open up some magic door whereupon they can be directly exploited. Rather, globals tend to make an application's design more muddled as it's unclear which functions/classes/modules depend on them. Thusly, it's more difficult to maintain. Hence, they have a higher probability of containing bugs which, in turn, may lead to hitherto unknown security flaws. Ergo, programmers frown upon globals.

Community
  • 1
  • 1
webbiedave
  • 48,414
  • 8
  • 88
  • 101
  • Obviously but we are talking about a couple variables that are recycled over and over. My question is not about application design its about application security. Are there any negative repercussions purely from a security standpoint for using global $config? – Dan Kanze Jan 13 '12 at 23:48
  • 1
    @DanKanze This is a perfectly valid answer. he tells you right out where you'll "be having problems in the future" (muddled application design) and that by just using global it doesn't open a "magic door" for exploits. – Jonathan Kuhn Jan 13 '12 at 23:59
  • 1
    @Dan Kanze: My answer speaks directly to the question `do global variables make the application unsafe`. The answer is no, not in and of itself. I then went on to explain why programmers say to avoid globals and how they could lead to problems down the road. – webbiedave Jan 14 '12 at 00:01