Announcement

Collapse
No announcement yet.

PHP - Register_Globals

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • PHP - Register_Globals

    Is it possible for eUKhost to set the 'register_global' module in PHP to "off", as it is currenly set to 'on'. This can be changed in the php.ini file for register_globals = Off. It should really be off for security purposes. It was depreciated in the 4.x versions of PHP, and should not be used. Providing users are coding PHP properly they should not be affected by this change.
    To err is human, but to really screw up you need a computer.

  • #2
    Thanks for your suggestion.

    We tried this option in past but we were flooded with tickets and chats as many customers had problems with their website hostings. We've worked out couple of things for security of the servers and mod_security has been very helpful in clearing all threats that may occur due to compromised php pages.
    eUKhost - eNlight Cloud Hosting || eUKhost Knowledgebase
    Toll Free : 0808 262 0255 || Skype : mark_ducadi

    Comment


    • #3
      Fair enough I suppose.

      For reference to get most of the PHP to work all that coders need to add is along the lines of...
      Code:
      $id=$_GET['id'];
      ...assuming the bulk of the problems is with URLs such as index.php?id=something.
      To err is human, but to really screw up you need a computer.

      Comment


      • #4
        Originally posted by Eidolon View Post
        Fair enough I suppose.

        For reference to get most of the PHP to work all that coders need to add is along the lines of...
        Code:
        $id=$_GET['id'];
        ...assuming the bulk of the problems is with URLs such as index.php?id=something.
        Is it now on or off? If off, is it allowed to edit a .htaccess file for setting it off?
        l sla nan l e-govaded vn!

        Comment


        • #5
          As far as I'm aware it is currently on, though I'd recommend you code as if it was set to off.
          To err is human, but to really screw up you need a computer.

          Comment


          • #6
            All that you need to add in .htaccess to enable or disable register_globals is as follows :-

            to set register_globals on :-
            php_flag register_globals on

            to set register_globals off :-
            php_value register_globals off

            Dont try both at a time as that would create problems for your php scripts / applications.
            eUKhost - eNlight Cloud Hosting || eUKhost Knowledgebase
            Toll Free : 0808 262 0255 || Skype : mark_ducadi

            Comment


            • #7
              As much as I agree normally it causes mass scucide as new php developers suddenly find there website hosting gets broke very quickly.

              I dont use register_globals anymore but a lot of my very early php 4 work was written with ignorance to register globals so that makes me partly guilty

              With PHP6 they have removed the option altogether but I do agree that new servers should have the option forced to off to encourage developers to work with it off.

              Comment


              • #8
                Fix

                You must be very carefull if you use register_globals, example:-

                if($adminpassword == $upassword){

                $admin = "1";

                }

                if($admin == "1"){
                //Display secure information
                }

                As you can imagine, if the users puts index.php?admin=1 - your website hosting is instantly vulnerable. You must make sure to define all variables at the top of your script (that aren't from a form). A fix for the above script would be just to add $admin = "0"; at the top.
                Last edited by Cruisecar; 09-11-2006, 20:31.

                Comment


                • #9
                  You mean that the code should be as follows :-

                  $admin = "0";
                  php_flag register_globals on

                  Is this what you want to mention ?
                  eUKhost - eNlight Cloud Hosting || eUKhost Knowledgebase
                  Toll Free : 0808 262 0255 || Skype : mark_ducadi

                  Comment


                  • #10
                    Yeh, I thought you would automaticly assume I meant with it on

                    Comment


                    • #11
                      I am not good with php so I could not make out what exactly it should be.

                      I'll bookmark this thread as it can help me in future when I become a good developer
                      eUKhost - eNlight Cloud Hosting || eUKhost Knowledgebase
                      Toll Free : 0808 262 0255 || Skype : mark_ducadi

                      Comment


                      • #12
                        Originally posted by eukhost.com View Post
                        You mean that the code should be as follows :-

                        $admin = "0";
                        php_flag register_globals on

                        Is this what you want to mention ?
                        Well, if you put that second line in your .htaccess (or not if on is the default option) and use the first line in your script, it will be safe.
                        But then you have to do that for all your variables which is more work and if you forget one, the whole script can become unsafe. Simply turn register_globals off is still the most safe thing to do, in that case, you can safly use variables without worrying.
                        l sla nan l e-govaded vn!

                        Comment

                        Working...
                        X