0

Hi

I was taught not to use global variables and one of my friend is using global variable for database handle for his website...

could you please explain if there is an issue if he uses global variable for database handle?

he is using it to access database from anywhere in the application.. so he doesn't need to connect to db every time but surely if someone has access to this global variable they can wipe the data in the database...

could someone please explain if it is possible for someone(hacker) to access global database handle variable and run queries from that?

2
Contributors
1
Reply
16
Views
3 Years
Discussion Span
Last Post by veedeoo
0

Hi,

I cannot give you an specific answer to your question, because you never mentioned which super globals your friend is currently using. However, if it is related to mysql security that worries you or your friend, I can safely asssumed that using a global variables for database handle is pretty dangerous.

Here are my reasons and analogies.

First, there was a memo called CVE-2011-2505, you can search this memo on google to read the lengthy detail about. In this memo, it specifically described the vulnerability of the PhpMyAdmin authentication feature. What this means to you, your friends, the rest of the php community, and me is that we should not use $_SESSION superglobal variables, due to the ability of the hackers to modify the said $_SESSION.

In shorter words, just in case I have not made myself very clear on the previous paragraph. $_SESSION has vulnerability that can be modified by the hacker. So, we don't want any database credentials floating around as a session variables or $_COOKIE.

Second, is the memo CVE-2010-3065. This vulnerability even more wider than what was on the first memo. What this vulnerability is all about is that the hacker can inject malicious values to the internal variable ( this is your variable) USING PHP SUPERGLOBAL mechanism. The danger is that the hacker can execute ARBIRTRARY command to gain complete control of your server.

After my lengthy blabbering, let me answer your question as I quote below

could someone please explain if it is possible for someone(hacker) to access global database handle variable and run queries from that?

Answer, yes and not only the hackers running queries but they can gain complete control of your server if you are not very lucky.

If your friend is worrying of the server resource expense of a redundant database connection, why not use a human-readable data serialization e.g. YAML for the data that does not change much. If your friend is clever enough, he or she can probably write another script to check if the data is outdated and needs an update. Take Magento as an example, Zend, and Symfony.. try inspecting their source codes and it can give you some ideas on how they implemented high security.

This is an additonal information. It just keep on lingering over my head, so I must say them as well.

Even if they twisted both of your arms, DO NOT use $_REQUEST, because it is like taking the hacker to a buffet for FREE.. these are the things the hacker can have on his menu all he can eat $_POST, $_GET, $_COOKIE.. think about being a hacker and you browse the source code of the form and it has something like this

<form action="process.php" action="request">

Now, as a hacker you can probably guess that "Hey, i can feed my data as post and get", and since the programmer is pretty neglingent I would try to request for the cookie and session.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.