Every day hackers are discovering new exploits and hacking techniques. We can defend some categories of attacks in our PHP script.
It is a setting in php.ini that controls the auto population of variables with the same name as form elements or cookies. If register_globals set to on then it may bring a disaster for your website.
Since PHP 4.2.0, the default value for register_globals is off. But often web hosts will re-enable register_globals to provide compatibility with older scripts. We can get clear concept of register_globals on or off with the following example.
Suppose username is a form element. With register_globals ‘off’, the only way to get the value of this form element using $_POST or $_GET array, depending on form action method. On the other hand, when register_globals is ‘on’, the username field value is accessible using $_POST, $_GET and $username as well.
If you are not able to disable register_globals in php.ini, you can turn it off use an .htaccess file.
php_flag register_globals off
SQL Injection Attacks
SQL injection attacks are simply the inclusion of malicious SQL statements in the place of what should normally be inoffensive data. SQL injection preys on a lack of input scrubbing and data validation.
SQL injection is fairly avoidable with an insignificant preparation and thorough coding practices. If magic_quotes_gpc is enabled, PHP automatically escapes any escape characters (e.g. apostrophes). Unluckily, this activities is applied to all GET, POST and Cookie variables in spite of whether they are going to used in a SQL statement or not. Most of the time it can be annoying. To make sure the data is escaped only when we need it to be, we can turn off magic_quotes_gpc in php.ini, and use addslashes() on all data that is being passed to MySQL. The addslashes() function will automatically escape any unsafe characters so our input will not choke MySQL.