PHP - Register_Globals

[Eidolon]

Is it possible for eUKhost to set the 'register_global' module in PHP to "off", as it is currenly set to 'on'. This can be changed in the php.ini file for register_globals = Off. It should really be off for security purposes. It was depreciated in the 4.x versions of PHP, and should not be used. Providing users are coding PHP properly they should not be affected by this change.

[eUKhost.com]

Thanks for your suggestion.

We tried this option in past but we were flooded with tickets and chats as many customers had problems with their websites. We've worked out couple of things for security of the servers and mod_security has been very helpful in clearing all threats that may occur due to compromised php pages.

[Eidolon]

Fair enough I suppose.

For reference to get most of the PHP to work all that coders need to add is along the lines of...

Code:

$id=$_GET['id'];

...assuming the bulk of the problems is with URLs such as index.php?id=something.

[brouwer]

Quote:

Originally Posted by Eidolon

Fair enough I suppose.

For reference to get most of the PHP to work all that coders need to add is along the lines of...

Code:

$id=$_GET['id'];

...assuming the bulk of the problems is with URLs such as index.php?id=something.

Is it now on or off? If off, is it allowed to edit a .htaccess file for setting it off?

[Eidolon]

As far as I'm aware it is currently on, though I'd recommend you code as if it was set to off.

[eUKhost.com]

All that you need to add in .htaccess to enable or disable register_globals is as follows :-

to set register_globals on :-
php_flag register_globals on

to set register_globals off :-
php_value register_globals off

Dont try both at a time as that would create problems for your php scripts / applications.

[unplugged]

As much as I agree normally it causes mass scucide as new php developers suddenly find there website gets broke very quickly.

I dont use register_globals anymore but a lot of my very early php 4 work was written with ignorance to register globals so that makes me partly guilty

With PHP6 they have removed the option altogether but I do agree that new servers should have the option forced to off to encourage developers to work with it off.

[Cruisecar]

You must be very carefull if you use register_globals, example:-

if($adminpassword == $upassword){

$admin = "1";

}

if($admin == "1"){
//Display secure information
}

As you can imagine, if the users puts index.php?admin=1 - your website is instantly vulnerable. You must make sure to define all variables at the top of your script (that aren't from a form). A fix for the above script would be just to add $admin = "0"; at the top.

[eUKhost.com]

You mean that the code should be as follows :-

$admin = "0";
php_flag register_globals on

Is this what you want to mention ?

[Cruisecar]

Yeh, I thought you would automaticly assume I meant with it on

[eUKhost.com]

I am not good with php so I could not make out what exactly it should be.

I'll bookmark this thread as it can help me in future when I become a good developer

[brouwer]

Quote:

Originally Posted by eukhost.com

You mean that the code should be as follows :-

$admin = "0";
php_flag register_globals on

Is this what you want to mention ?

Well, if you put that second line in your .htaccess (or not if on is the default option) and use the first line in your script, it will be safe.
But then you have to do that for all your variables which is more work and if you forget one, the whole script can become unsafe. Simply turn register_globals off is still the most safe thing to do, in that case, you can safly use variables without worrying.