Friday April 18 2014
information technology central services at the university of michigan

FAQ: php

home / faq / php

Can we use php and mysql?
Can I use register_globals?
How do I check the error log on the development server?
How should I seek out further help with php or mysql?

Can we use php and mysql?

If you are a member of a University group, and can pay with a 6-digit account number (student groups can use SOAS accounts), then you can subscribe to our virtual hosting service, which includes use of php and mysql tablespace.

Can I use register_globals?

For those who aren't familiar with register_globals, it allows user input to be inserted directly into a variable of the same name. For instance, a page requested with the query string of page.php?id=test would have a variable named $id with the value of 'test'.

If you haven't started already, you'll want to use the "super global" variables - in other words: $_GET['foo'] for get variables, and $_POST['bar'] for post. You can read more about these here:

http://www.php.net/variables.predefined

Working this way will prevent an attacker from injecting a value into other variables that you're using in your code. In an incredibly simple example:

<?php
    if ( isset( $favorite_color ) { $chosen = 1; }
    if ( $chosen == 1 ) { Do_Other_Stuff( ); }
?>

In this case, if $favorite_color was not sent, someone could still send a value for $chosen, and the attacker would be able to get around supplying a favorite color. On the other hand, if register_globals were turned off, and the attacker posted a variable called 'chosen', then it would be referred to as: $_POST['chosen'] instead of $chosen, which is clearly a different variable.

In this scenario, only the variables you're expecting to pull from the super-globals can be over-written, and if these are doing sensitive tasks, such as dealing with authentication, executing a shell program, interacting with a database, etc., then you should be validating those variables anyways. This and other vulnerabilities are discussed in many places including this essay: PHP and the OWASP Top Ten Security Vulnerabilities.

This has been an issue with php development for some time, and they have provided a clear migration path for those who relied upon the old style of coding. The super-global variables were first available in php4.0 beta 4 (released 2/2000), and were upgraded in 4.1 (12/2001), for further information please see PHP's ChangeLog.

How do I check the error log on the development server?

You can watch for errors in the apache error log on the development server as they occur:

tail -f /var/apache/log/error

How should I seek out further help with php or mysql?

There are many ways of getting assistance with php and mysql. Both have organizations behind them that document many features online:

http://www.php.net/manual/en/
http://dev.mysql.com/doc/mysql/en/

Using your favorite internet search tool can also be helpful. By searching for an error message, one can typically find results where others have mentioned the resolution to the issue.

There are also UM user groups that one can subscribe to with the online directory, namely php-sig, and mysql-sig.