[PHP] Re: Register Globals (more)
John Taylor-Johnston wrote: How do I rebuild this peice of code to be register_globals=off friendly? Just when I thought I was getting good. This keeps up, I'm changing back the php.ini myself. John If your code absolutley needs register_globals and you don't have the time to rewrite it, do this: @import_request_variables('GPC', ''); Note that @ is there to suppress error message about non-recommended usage of the function, ie no prefix. -- Open source PHP code generator for DB operations http://sourceforge.net/projects/bfrcg/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Register Globals
why not extract($_POST); and use your old code or somthing like that, same thing really if code don't work
[PHP] Re: Register Globals
On Thu, 03 Nov 2005 21:17:39 -0500, John Taylor-Johnston wrote: Ok, you are all used to working with register_gloabsl=off. mail($to, stripslashes($subject), wordwrap($message, 60), From: $from\r\n); I change this line to: mail($to, stripslashes($_POST[subject]), wordwrap($_POST[message], 60), From: $_POST[from]\r\n); You do realize you have an open relay. I can send in the post data: subject=I%20Love%20Yourfrom=something\r\nBCC:moreaddressesmessage=a_mime_encoded_virus Dont trust tainted variables, you should really fix that. Curt. -- http://news.zirzow.dyndns.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Register globals and ini_set
On Fri, July 8, 2005 6:50 am, Jason Barnett said: [EMAIL PROTECTED] wrote: But what you *can* do, is to ini_get('register_globals') and have your script act accordingly. You could for example extract() your $_GET and $_POST variables. http://php.net/manual/en/function.extract.php If *ALL* you're gonna do is: ?php extract($_GET); extract($_POST); ? you might as well just turn register_globals *ON* and forget about Security. You *MUST* use the new-fangled optional argument to specify which variables you are expecting, at a minimum. You also should scrub your data: Typecast any data that has to be integer to (int). If it's different from the original input data, bail out. Check the length of any fixed-length data. md5 hashes should be 32 chars. US states are 2-char. Country-codes, 2 char, etc. Make a string of what you consider kosher characters for text typed in: ?php $kosher = [^a-zA-Z0-9\'\\.,:\\?;_-]; ? Use that $kosher to preg_replace every input: $bio = preg_replace($kosher, '', $_POST['bio']); -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Register globals and ini_set
[EMAIL PROTECTED] wrote: Hi, If i use, at the beginning of my scripts, ini_set('register_globals', 0), register globals will be turned off? Thanks ini_set() just doesn't make sense for that directive. register_globals takes the input data from HTTP requests and sets them in the symbol table before any of your PHP code gets parsed. PHP has already done the work. Doesn't seem too terribly efficient to just throw all of that away on every script invocation, now does it? But what you *can* do, is to ini_get('register_globals') and have your script act accordingly. You could for example extract() your $_GET and $_POST variables. http://php.net/manual/en/function.extract.php -- NEW? | http://www.catb.org/~esr/faqs/smart-questions.html STFA | http://marc.theaimsgroup.com/?l=php-generalw=2 STFM | http://php.net/manual/en/index.php STFW | http://www.google.com/search?q=php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: register globals question
Merlin wrote: Hello, I am wondering if an application written to work with register globals set to off ($_GET[variable] etc.) would work with a system, where register globals is set to on? yes. Kae -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Register globals on and off
I've read that an include file in each of your pages with the lines below should do the trick for you with register_globals OFF.. Not sure if this is a valid way to go though... ?php extract($_SERVER); extract($_ENV); extract($_GET); extract($_POST); extract($_REQUEST); ? Regards, Pat Davy Obdam [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hello people, On my development machine (win XP/Apache 2.0.44/PHP 4.3.0/MySQL 3.23.55) i have several websites that i made some time ago that require register globals to be On in the php.ini. Ofcourse i know thats not a good idea at all for security, but rewriting all this code is not an option. However in my php.ini i have set register globals to Off because that better. Is it possible to configure my webserver/php so that only those sites that require register globals to be On have that setting, for instance in a .htacces file?? Any help is appreciated:-) Best regards, Davy Obdam mailto:[EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Register globals on and off
On Sun, 2 Feb 2003, Pat Johnston wrote: I've read that an include file in each of your pages with the lines below should do the trick for you with register_globals OFF.. Not sure if this is a valid way to go though... ?php extract($_SERVER); extract($_ENV); extract($_GET); extract($_POST); extract($_REQUEST); ? Whoever told you this should be shot as this is an enormous security hole! The above is a security hole much larger than register_globals could ever hope to be. That and it's silly to attempt to mimic register_globals at runtime. The above is insecure in that it will overwrite web server variables ($_SERVER) with request variables such as those from $_GET. This is TERRIBLE!!! Just imagine this as just an example: http://www.example.com/a.php?PHP_SELF=http://www.foo.com In the above scenerio, this would create $PHP_SELF first from $_SERVER then it'd be overwritten by the $_GET and than by the $_REQUEST that had the GET in it. So this makes it inefficient and insecure :) A better example exists but anyway this should show a nice point (like maybe PHP_AUTH_PW or REMOTE_USER). Anyway, sorry for the rant but it's just that whoever told you that should not tell anyone anything related to this topic. The best options are: a) rewrite the code or b) set register_globals with .htaccess or php.ini or in virtualhost in httpd.conf http://www.php.net/manual/en/configuration.changes.php Now if you must set it at runtime (please do not do this) then you could try this: // THIS IS NOT RECOMMENDED if (!ini_get('register_globals')) { $types_to_register = array('GET','POST','COOKIE', 'SESSION','SERVER'); foreach ($types_to_register as $type) { if (@count(${'HTTP_' . $type . '_VARS'}) 0) { extract(${'HTTP_' . $type . '_VARS'}, EXTR_OVERWRITE); } } } // THIS IS NOT RECOMMENDED Although it doesn't depend on the variables_order directive like register_globals does, it is flexible. Keep in mind that variables are written from first to last so you certainly don't want GET coming after SERVER. Regards, Philip Davy Obdam [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hello people, On my development machine (win XP/Apache 2.0.44/PHP 4.3.0/MySQL 3.23.55) i have several websites that i made some time ago that require register globals to be On in the php.ini. Ofcourse i know thats not a good idea at all for security, but rewriting all this code is not an option. However in my php.ini i have set register globals to Off because that better. Is it possible to configure my webserver/php so that only those sites that require register globals to be On have that setting, for instance in a .htacces file?? Any help is appreciated:-) Best regards, Davy Obdam mailto:[EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php