Forum Moderators: coopster
recently he has just moved server which has a more recent version of PHP4 installed.
Along with a newer version of PHP it also now has register_globals=off.
when first transfering the site this caused no end of problems with some of the core parts of the site and to temporarily rectify the problems
php_flag register_globals on
was added to the htaccess file while I looked into the issue further.
while browsing around I have come across plenty of people suggesting emulating register_globals=on with a bit of script like
<?php
// Emulate register_globals on
if (!ini_get('register_globals')) {
$superglobals = array($_SERVER, $_ENV,
$_FILES, $_COOKIE, $_POST, $_GET);
if (isset($_SESSION)) {
array_unshift($superglobals, $_SESSION);
}
foreach ($superglobals as $superglobal) {
extract($superglobal, EXTR_SKIP);
}
ini_set('register_globals', true);
}
?>
while I am pretty sure adding this to my pages and then removing the
php_flag register_globals on
line from htaccess will work, is it actually going to achieve anything? or am I actually left with the same security issues as I have already?
if this is the case what are my options? to work through all of the core parts of the site that were developed by someone else and edit them to allow the site to function without register_globals=on or is there an easier way which is actually secure?
thanks for any input
Jay
$superglobals = array($_SERVER, $_ENV,$_FILES, $_COOKIE, $_POST, $_GET);
So, for instance, let's say you have a session variable,
$_SESSION['example']$_POST['exmaple']The best thing to do is to write your code as if register globals is turned off. I know this doesn't help you with pre-existing code, but current projects and future ones will be better if you start now.
If you are concerned about security with register globals you shouldn't be completely alarmed. Just because it is turned on doesn't mean that a script is vulnerable. But, when programming, you have to be careful how you handle different things. As of right now, your older scripts may have vulnerabilities in them, and the only way to completely secure them from this register globals issue is to replace everything "correctly" with its corresponding superglobal. But they don't have to have security holes in them. It depends.
So:
>> is emulating register globals=on a good idea?
I guess it doesn't really matter because both the script and register globals do practically the same thing. I personally hate coding with register globals, so I would have changed everything long ago ;) hehe...might not be possible in your case, though, depending on the scale of the project. I don't see major harm in using the script above, though. At least no more "harm" than using register globals in the first place.
Refer to the Register Globals [us3.php.net] documentation for more information.
Good luck! :)
[edited by: eelixduppy at 9:45 pm (utc) on Mar. 28, 2007]
I would like to turn off register_globals and from what you seem to be saying, having it turned off and then using the script i posted is the same as having register_globals turned on, so is there any real point in the exercise as surely any security holes made open with having register_globals turned on are only going to be there with the emulation script installed and register_globals turned off?
I understand your statement about it depending on the code if having register_globals turned on is going to cause security problems but as I didn't write alot of the core funstionality I cannot be sure of how secure it is, although from what I have looked at so far I would feel alot happier with register globals turned off which unfortunately by the sounds of it means I will have to edit quite alot of the code! :(
Jay
