> Lately we discovered that, by mistake, we've run PHP with register_globals > on for a few months for all our customers. > > Since we want to turn it off, we need to figure out which customers use > the > 'register_globals' functionality so we can ask them to modify their > scripts.
Why do you want to turn it off? Turning register_globals off doesn't instantly make your scripts more secure, by any means. All it does is invite people that depend on it to write a quick work around that emulates register_globals as best as they can and they drive on with the same issues the _might_ of had before. The problem is not with register_globals, it's with poor logic in scripts that do not initialize their own variables. > However, checking all php code by hand is a non-trivial task, because > there > are 20,000+ php scripts. Is there a way to: > > a) parse all .php scripts once and detect whether they depend on register > globals on? > > or probably easier: > > b) add something to our current setup so that when a scripts is executed > and > uses the register globals functionality, we get a notification > automatically? No, there's no way to do that very easily. I guess you could parse one of their HTML forms and parse the ACTION page of the form and check for _POST, _GET, or maybe even HTTP_GET_POST or HTTP_GET_VARS, but that's no definitive answer that every script they have uses globals or not. Bottom line, the best thing you can do is to educate your customers on how to write PHP scripts correctly and advise them to turn register globals off on their own site (with .htaccess if you're using apache). ---John W. Holmes... PHP Architect - A monthly magazine for PHP Professionals. Get your copy today. http://www.phparch.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
