help with register_globals

@discusAug 12.2005

Hi,

The newest problem is that I can’t set register_globals to ‘on’.

Actually, I’ve set it in the php.ini file (which is in the windows directory), but
when I do a php info, it shows that register_globals is off.

1) I’ve checked the requested path for php.ini in the php info; it’s correct.
2) I’ve tried with restarting IIS server, but to no avail.

Thanks

to post a comment

PHP

8 Comments(s) _↴

@Stephen_PhilbinAug 12.2005 — #Try restarting the PC completely? Are you sure you want to do this? I mean I'd strongly suggest you don't. Seriously. It's not something I'd recommend anyone do unless they are absolutely certain that all executable code is entirely flawless and secure, and even if they were, I'd still advise against it.

@discusauthorAug 12.2005 — #Hm, I know something about security risks related to the register_globals, but I'm stuffed with nonworking scripts (because of variables mess), like this one:

[code=php]
 <html>
 <head>
 <title>Listing 10-4</title>
 </head>
 <body bgcolor="#ffffff" text="#000000" link="#cbda74" vlink="#808040"
 alink="#808040">
 <?
 // all double quotations in $form must be escaped,
 // otherwise a parse error will occur
 $form = "
 <form action="listing10-4.php" method="post">
 <input type="hidden" name="seenform" value="y">
 <b>Give us some information!</b><br>
 Your Name:<br>
 <input type="text" name="name" size="20" maxlength="20" value=""><br>
 Your Email:<br>
 <input type="text" name="email" size="20" maxlength="40" value=""><br>
 <input type="submit" value="subscribe!">
 </form>";
 // If we haven't already seen the form ($seenform passed by hidden
 // form value), show the form.
 if ($seenform != "y"):
 print "$_POST['form']";
 else :
 print "Hi,".$_POST['name']." !. Your email address is .".$_POST['email'];
 endif;
 ?>
 </body>
 </html>
 [/code]

...gives blank page.

I'm using example scripts, which are all written in simple variables manner ($variable), so I must change them all (and whether do I that correct always?).

Can I set register_globals just for learning purposes (on my localhost), without security threats, and how would that affect my pc's security ?

Thanks

edit: I've forgot; restarting Windows didn't help.

@Stephen_PhilbinAug 12.2005 — #Well from the looks of that script, I wouldn't touch anything the author of that wrote with a barge pole. I've no idea about how enabling RG on a PHP install would affect computer security for the computer as a whole, two major deciding factors would be the operating system and the kinds of scripts already on the computer.

The thing that's must vulnerable to RG is usually databases. Completely wiping out a database (including all administrative login) is frighteningly easy to do on a server with RG enabled. Obviously I'm not going to say how it can be done exacly, but you can do it from just about any internet enabled computer by simply typing in about 40 characters max and hitting enter. So for a badly built forum, it'd be easier to wipe it out, than to make a post.

That's why I always advise against register globals.

@felgallAug 12.2005 — #Turning on register globals means that anyone can post any variables to the script and they will be processed as part of the script. The better solution is to add code to the top of the script to just read in the expected variables.

@BeachSideAug 12.2005 — #just thinking about registar globals on give me the willies ?

@discusauthorAug 13.2005 — #Heh, I solved the issue (although I'll reconsider wheteher to use it /after all those warnings/).

I see that many novices have the same problem - to turn this setting either On or Off, with no help and answer.

That's because the issue is too stupid for a pro to understand it.

Namely, the first part of the php.ini file, named 'About this file' looks exactly like the other (active) parts, and contain descriptions of (who knows why) 9 settings (register_globals = Off , among them), which may easy delude newbie to think that change should be made there.

But, this setting should be changed in the part named 'Data handling'.

So, I hope this might be helpful to webmasters to help others who may fall in that stupid trap.

I'd have 2 more questions about security:

1) When I'm connected to the net, I keep my 'Default Web Site' (AdminTools/IIS) stopped.

Is that sufficient protection from variables injection through an url parsing, or should I stop the IIS(server) service too ?

2) So what if someone try to inject a variable (say $var1) through an url, if in my scipt(s) such variable doesn't exist?

I mean, how could it be processed, if my scripts don't operate whit it ?

(I'm just on the half of the book, so excuse me if my Q sounds a bit s.)

Thanks again

Greets

@BeachSideAug 13.2005 — #Basically with register globals on you can put any variable into a script, again like I said basically. The biggest catch though is if you have a form, for instance, and one of the fields is named "name" right. Well without it on the only way to access that variable is either through using $_POST['name'] or $_REQUEST['name']. With it on however you can in the url put your own variable in there and the script would accept it. so if the URL was like http://yourdomain.com?name=someothercode

This is obviously not what you want to happen.

As far as your personal machine goes, depending on your ISP you usually have to actually open Port 80 to incoming traffic for you to be affected by something like that. Otherwise you can't serve http requests (unless you specify another port) I wouldn't worry too much about that.

The biggest drawback to turning register globals on, even for testing, is that no matter what you have to code for a server without it on. I think it is better to just start with them off so you don't mess the code up from the start.

@felgallAug 13.2005 — #My page http://www.felgall.com/htmlt67.htm has some code that can be added to any web page to load the variables that the script specifically requires so that register globals does not need to be touched.

Also in #PHP _↴

Creating a new photo album without going to another page include file how to remove forum's bbcode with php?

Success!

Help @discus spread the word by sharing this article on Twitter...

Tweet This

help with register_globals

8 Comments(s) _↴

Also in #PHP _↴

Success!

Social

Version

help with register_globals

8 Comments(s) ↴

Also in #PHP ↴

Success!

The web is an endless sea of information. Don't miss the boat... Subscribe!

Social

Version

8 Comments(s) _↴

Also in #PHP _↴