Hi. I am just learning PHP. I'm taking over the website at work,
which is coded in PHP. I am wondering about register_globals. They are
on on the server we use. Is that a threat? I understand I may have to
recode if I turn them off, but is there a simple way to turn them off
and see if the code still works?
Thanks,
Peter
6  1755 
On 9 Sep 2005 14:54:20 -0700, "peter" <pl*****@yahoo.com> wrote: Hi. I am just learning PHP. I'm taking over the website at work,
which is coded in PHP. I am wondering about register_globals. They are
on on the server we use. Is that a threat?
Not directly, as it is quite possible to write safe code with register_globals
turned on, although it's bad practice. However, with register_globals enabled,
certain sorts of poor programming practices can be made unexpectedly much
worse, by the automatic creation of global variables. In particular, code that
relies on variables being undefined because the code did not set them; instead,
register_globals may have set it via user input through GET or POST.
I understand I may have to
recode if I turn them off, but is there a simple way to turn them off
and see if the code still works?
Modify php.ini, set register_globals=Off.
--
Andy Hassall :: an**@andyh.co.uk :: http://www.andyh.co.uk http://www.andyhsoftware.co.uk/space :: disk and FTP usage analysis tool
Thanks Andy! I guess what got me looking into this in the first place
was we received some of those strange emails where ra***********@oursite.com are entered for all inputs and a CC is sent
to a different email address. A friend told me we may be vulnerable if
register_globals are on, which they are. Have you ever heard of such
emails? If so, will turning off register_globals protect us, or must
something more be done?
Thanks again,
Peter
peter wrote: Thanks Andy! I guess what got me looking into this in the first place
was we received some of those strange emails where
ra***********@oursite.com are entered for all inputs and a CC is sent
to a different email address. A friend told me we may be vulnerable if
register_globals are on, which they are. Have you ever heard of such
emails? If so, will turning off register_globals protect us, or must
something more be done?
Thanks again,
Peter
Peter,
Turning off register_globals may or may not help. It all depends on how
the script was coded. Of course, if it were a secure script, the CC:
wouldn't be allowed, whether register_globals was on or off.
My suspicion is that the script itself is insecure, and turning
register_globals off won't help in this case. In any event, you really
should turn it off. The chances are pretty high if there is one problem
there could be others.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp. js*******@attglobal.net
==================
peter wrote: Thanks Andy! I guess what got me looking into this in the first place
was we received some of those strange emails where
ra***********@oursite.com are entered for all inputs and a CC is sent
to a different email address. A friend told me we may be vulnerable if
register_globals are on, which they are. Have you ever heard of such
emails? If so, will turning off register_globals protect us, or must
something more be done?
That is caused by some spammers trying to take over your email form.
Take a look at
<http://www.phpfreaks.com/forums/index.php?showtopic=66987&st=0&p=272101&#entry2721 01>
It shows some code that should keep these folks at bay.
I've gotten hit twice so far and a number of other people have also.
Ken
Thanks for the link, Ken. I will recode. I've also had 2 groups of
this strange email. I'm wondering, though, if they have had success
with my form yet. I would think if they were sending spam from my
domain that I would inevitably get some returned emails and perhaps
angry emails as well. Do you think this is an accurate assessment?
Thanks,
Peter
peter wrote: Thanks for the link, Ken. I will recode. I've also had 2 groups of
this strange email. I'm wondering, though, if they have had success
with my form yet. I would think if they were sending spam from my
domain that I would inevitably get some returned emails and perhaps
angry emails as well. Do you think this is an accurate assessment?
The only way to know for sure is to check the mail logs on your server.
Ken This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: Frank |
last post by:
Whats best :
register_globals ON ?
OR
register_globals OFF ?
I currently use:
$_POST
|
by: John |
last post by:
Hello.
I am a newbie to PHP. I am over halfway through my first book that
I'm learning with and have just created login pages etc.
I just wondered, if I am running php/mysql/apache locally,...
|
by: wonder |
last post by:
Hi,
The CRM application said that need to add an option
"REGISTER_GLOBALS=On" to the php.ini file, so I did what it told.
But I still can't get rid off the following error:
The PHP variable...
|
by: lian |
last post by:
Hi all,
I have installed a web-based software written in php which needs
that i should turn "register_globals" from off to on in the php.ini.
There are some comments for register_globals in...
|
by: Phil Latio |
last post by:
I am newish to PHP and wish to create an authentication system where a new
user is required to validate/complete their sign-up by clicking a link in an
email.
I am probably capable of putting...
|
by: news |
last post by:
You'd think it'd be easier to find the answer to this question.
Did a search, and all I can find is people asking why something's not
working and people replying it's because register_globals is...
|
by: peter |
last post by:
I just took over the website at work. I am still learning PHP.
Register_globals are on and the script appears to be coded to take
advantage of this. I know how to recode the script, but am unsure...
|
by: Samuel Shulman |
last post by:
I keep getting the
'FATAL ERROR: register_globals is disabled in php.ini, please enable it!'
error
I changes that settings and I still get this error
What should I do next?
Thank you,...
|
by: Dave |
last post by:
In PHP 4.4, what is the most secure server configuration while keeping
REGISTER_GLOBALS on?
|
by: taylorcarr |
last post by:
A Canon printer is a smart device known for being advanced, efficient, and reliable. It is designed for home, office, and hybrid workspace use and can also be used for a variety of purposes. However,...
|
by: Charles Arthur |
last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
|
by: aa123db |
last post by:
Variable and constants
Use var or let for variables and const fror constants.
Var foo ='bar';
Let foo ='bar';const baz ='bar';
Functions
function $name$ ($parameters$) {
}
...
|
by: ryjfgjl |
last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
|
by: BarryA |
last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
| |
