// some code to verify coupon code
echo “Check if user given coupon is valid or not.<br>”;
return ($code % 1000 == 0) ? TRUE : FALSE;
}
function isCustomer()
{
// a function to determine if current user
// user is a customer or not.
// not implemented.
echo “Check if user is a customer or not.<br>”;
return FALSE;
}
?>
When this script is run as
http://server/bad_autovars.php?couponCode=2000
it checks to see if the coupon code is valid. The is_coupon() function takes the
user given coupon code and checks if the given code is completely divisible by
1000 or not. Code that are divisible by 1000 are considered valid and the function
returns TRUE else it returns FALSE. If the coupon code is valid, it checks whether
the current user is a customer. If the current user is a customer, it shows a message
indicating that the customer is a winner. If the current user is not a customer, it
shows the following:
Check if user given coupon is valid or not.
Check if user is a customer or not.
Sorry you did not win!
Because we didn’t implement the isCustomer() function, we return FALSE at all
times, so there’s no way we should ever show a message stating that the current
user is a winner. But alas! Look at the following request:
http://server/bad_autovars.php?couponCode=1001&is_customer=1
Even with an invalid coupon, the user is able to see the following message:
Check if user given coupon is valid or not.

You are a lucky customer.
You won big today!
Chapter 2: Understanding and Avoiding Security Risks 31
04 549669 ch02.qxd 4/4/03 9:24 AM Page 31
Do you know why the user is able to see the preceding message? Because this
user has supplied is_customer=1, which became an automatic variable and forced
the winner message to appear. This type of trick can be done only with strong
knowledge of the application being used. For example, if this was a free script
widely used by many sites, a malicious hacker could force it to get what he wants.
This example demonstrates that automatic variables can be tricked into doing
things that are not intended by the programmers, so we need to have a better way
of getting user data. Thankfully, PHP 4.2 or above by default do not create auto-
matic variables. Creating automatic variables is turned off in the php.ini configu-
ration file using the following configuration parameter:
register_globals = Off
When register_globals is off by default, PHP does not create automatic variables.
So how can you get data from the user? Very easily using $_GET, $_POST,
$_REQUEST, $_SERVER, $_SESSION, $_ENV, and $_COOKIE. Table 2-1 shows which of
these variables correspond to what input of a request.
TABLE 2-1 PHP GLOBAL-REQUEST-RELATED AUTOMATIC VARIABLES
Variable Description
$_GET Used for storing data passed via HTTP GET method. For example,
http://server/any.php?a=1&b=2 will result in
$_GET[‘a’] = 1;
$_GET[‘b’] = 2;
$_POST
Used for storing data passed via HTTP POST method. For
example:
<form action=”any.php” method=”POST”>
<input type=text name=”email”>

<input type=hidden name=”step” value=”2”>
</form>
When this form is submitted, the any.php will have
$_POST[‘email’] = user_supplied_email
$_POST[‘step’] = 2
$_REQUEST
Works for both GET and POST. This variable is the best choice
because it will work with your application whether data is
submitted via the
GET method or the POST method.
$_SESSION Stores session data.
$_COOKIE Stores cookie data.
32 Part I: Designing PHP Applications
04 549669 ch02.qxd 4/4/03 9:24 AM Page 32
Variable Description
$_ENV Stores environment information.
$_FILES Stores uploaded file information.
$GLOBALS All global variables that are stored in this associative array.
Now let’s implement bad_autovars.php without the automatic field variables as
shown in Listing 2-4.
Listing 2-4: autovars_free.php
<?php
// Enable all error reporting
error_reporting(E_ALL);
// Initialize
$is_customer = FALSE;
// Get coupon code
$couponCode = (! empty($_REQUEST[‘couponCode’])) ?
$_REQUEST[‘couponCode’] : null;
if (is_coupon($couponCode))

{
$is_customer = isCustomer();
}
if ($is_customer)
{
echo “You are a lucky customer\n”;
echo “You win big today!\n”;
} else {
echo “Sorry you do not win!\n”;
}
function is_coupon($code = null)
{
// some code to verify coupon code
echo “Check if user given coupon is valid or not <br>”;
return ($code % 1000 == 0) ? TRUE : FALSE;
Continued
Chapter 2: Understanding and Avoiding Security Risks 33
04 549669 ch02.qxd 4/4/03 9:24 AM Page 33
Listing 2-4 (Continued)
}
function isCustomer()
{
// a function to determine if current user
// user is a customer or not.
// not implemented.
echo “Check if user is customer <br>”;
return FALSE;
}
?>
<?php

// Enable all error reporting
error_reporting(E_ALL);
// Initialize
$is_customer = FALSE;
// Get coupon code
$couponCode = (! empty($_REQUEST[‘couponCode’])) ?
$_REQUEST[‘couponCode’] : null;
if (is_coupon($couponCode))
{
$is_customer = isCustomer();
}
if ($is_customer)
{
echo “You are a lucky customer\n”;
echo “You win big today!\n”;
} else {
echo “Sorry you do not win!\n”;
}
function is_coupon($code = null)
{
// some code to verify coupon code
echo “Check if user given coupon is valid or not <br>”;
return ($code % 1000 == 0) ? TRUE : FALSE;
}
function isCustomer()
{
// a function to determine if current user
// user is a customer or not.
34 Part I: Designing PHP Applications
04 549669 ch02.qxd 4/4/03 9:24 AM Page 34

// not implemented.
echo “Check if user is customer <br>”;
return FALSE;
}
?>
Here $is_customer is first initialized to FALSE, which makes it impossible for the
user to set it using the GET or POST method. Next, improvement is made by using
the $_REQUEST[‘couponCode’] to get the coupon data. With this version, the user
can’t force $is_customer to any value and, therefore, the code works as intended.
Using validation code
In addition to getting user data from $_REQUEST, you also need to validate user
input, because it may contain unwanted patterns that cause security problems.
Sometimes programmers confuse validation with cleanup. Earlier, in Listing 2-2
(better_whois.php), we used escapeshellcmd() to escape any user-provided
shell characters. This would qualify as a cleanup or quarantine operation. A valida-
tion operation checks the validity of the data and, if it’s invalid, the script rejects it
instead of fixing it.
For example, say you have a PHP script that expects a data field called num1.
You can do a test like the following:
if (!is_numeric($_REQUEST[‘num1’]))
{
// User supplied num1 not a number!
}
There are many built-in functions, such as is_numeric(), is_int(),
is_float(), is_array(), and so forth, that you can use to perform validation.
However, often you want to validate a number or string from a different prospec-
tive. For example, e-mail addresses are strings, but not all strings are e-mail
addresses. To validate e-mail addresses, you need a validation function for e-mail
address. Similarly, ZIP codes are special type of numbers with nnnnn or nnnnn-
nnnn

formats. For validating ZIP codes, you would need to create custom validation
functions. Your validation functions should return TRUE for valid data and FALSE
for invalid data. The following is a simple structure of a validation function:
function isValidFIELDNAME($fieldValue = null)
}
// Perform validation code here
// You must return TRUE here if valid.
// Default is false
return FALSE;
}
Chapter 2: Understanding and Avoiding Security Risks 35
04 549669 ch02.qxd 4/4/03 9:24 AM Page 35