[PHP] Re: Register Globals (more)
John Taylor-Johnston wrote:
How do I rebuild this peice of code to be register_globals=off friendly?
Just when I thought I was getting good. This keeps up, I'm changing back
the php.ini myself.
John
If your code absolutley needs register_globals and you don't have the
time to rewrite it, do this:
@import_request_variables('GPC', '');
Note that @ is there to suppress error message about non-recommended
usage of the function, ie no prefix.
--
Open source PHP code generator for DB operations
http://sourceforge.net/projects/bfrcg/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Register Globals
why not extract($_POST); and use your old code or somthing like that, same thing really if code don't work
[PHP] Re: Register Globals
On Thu, 03 Nov 2005 21:17:39 -0500, John Taylor-Johnston wrote: Ok, you are all used to working with register_gloabsl=off. mail($to, stripslashes($subject), wordwrap($message, 60), From: $from\r\n); I change this line to: mail($to, stripslashes($_POST[subject]), wordwrap($_POST[message], 60), From: $_POST[from]\r\n); You do realize you have an open relay. I can send in the post data: subject=I%20Love%20Yourfrom=something\r\nBCC:moreaddressesmessage=a_mime_encoded_virus Dont trust tainted variables, you should really fix that. Curt. -- http://news.zirzow.dyndns.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Register globals and ini_set
On Fri, July 8, 2005 6:50 am, Jason Barnett said:
[EMAIL PROTECTED] wrote:
But what you *can* do, is to ini_get('register_globals') and have your
script act accordingly. You could for example extract() your $_GET and
$_POST variables.
http://php.net/manual/en/function.extract.php
If *ALL* you're gonna do is:
?php
extract($_GET);
extract($_POST);
?
you might as well just turn register_globals *ON* and forget about Security.
You *MUST* use the new-fangled optional argument to specify which
variables you are expecting, at a minimum.
You also should scrub your data:
Typecast any data that has to be integer to (int). If it's different from
the original input data, bail out.
Check the length of any fixed-length data. md5 hashes should be 32 chars.
US states are 2-char. Country-codes, 2 char, etc.
Make a string of what you consider kosher characters for text typed in:
?php
$kosher = [^a-zA-Z0-9\'\\.,:\\?;_-];
?
Use that $kosher to preg_replace every input:
$bio = preg_replace($kosher, '', $_POST['bio']);
--
Like Music?
http://l-i-e.com/artists.htm
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Register globals and ini_set
[EMAIL PROTECTED] wrote:
Hi,
If i use, at the beginning of my scripts, ini_set('register_globals', 0),
register globals will be turned off?
Thanks
ini_set() just doesn't make sense for that directive. register_globals
takes the input data from HTTP requests and sets them in the symbol
table before any of your PHP code gets parsed. PHP has already done the
work. Doesn't seem too terribly efficient to just throw all of that
away on every script invocation, now does it?
But what you *can* do, is to ini_get('register_globals') and have your
script act accordingly. You could for example extract() your $_GET and
$_POST variables.
http://php.net/manual/en/function.extract.php
--
NEW? | http://www.catb.org/~esr/faqs/smart-questions.html
STFA | http://marc.theaimsgroup.com/?l=php-generalw=2
STFM | http://php.net/manual/en/index.php
STFW | http://www.google.com/search?q=php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: register globals question
Merlin wrote: Hello, I am wondering if an application written to work with register globals set to off ($_GET[variable] etc.) would work with a system, where register globals is set to on? yes. Kae -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Register globals on and off
I've read that an include file in each of your pages with the lines below should do the trick for you with register_globals OFF.. Not sure if this is a valid way to go though... ?php extract($_SERVER); extract($_ENV); extract($_GET); extract($_POST); extract($_REQUEST); ? Regards, Pat Davy Obdam [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hello people, On my development machine (win XP/Apache 2.0.44/PHP 4.3.0/MySQL 3.23.55) i have several websites that i made some time ago that require register globals to be On in the php.ini. Ofcourse i know thats not a good idea at all for security, but rewriting all this code is not an option. However in my php.ini i have set register globals to Off because that better. Is it possible to configure my webserver/php so that only those sites that require register globals to be On have that setting, for instance in a .htacces file?? Any help is appreciated:-) Best regards, Davy Obdam mailto:[EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Register globals on and off
On Sun, 2 Feb 2003, Pat Johnston wrote:
I've read that an include file in each of your pages with the lines below
should do the trick for you with register_globals OFF..
Not sure if this is a valid way to go though...
?php
extract($_SERVER);
extract($_ENV);
extract($_GET);
extract($_POST);
extract($_REQUEST);
?
Whoever told you this should be shot as this is an enormous
security hole! The above is a security hole much larger
than register_globals could ever hope to be. That and it's
silly to attempt to mimic register_globals at runtime.
The above is insecure in that it will overwrite web server
variables ($_SERVER) with request variables such as those
from $_GET. This is TERRIBLE!!! Just imagine this as
just an example:
http://www.example.com/a.php?PHP_SELF=http://www.foo.com
In the above scenerio, this would create $PHP_SELF
first from $_SERVER then it'd be overwritten by the
$_GET and than by the $_REQUEST that had the GET in
it. So this makes it inefficient and insecure :) A
better example exists but anyway this should show a
nice point (like maybe PHP_AUTH_PW or REMOTE_USER).
Anyway, sorry for the rant but it's just that whoever
told you that should not tell anyone anything related
to this topic.
The best options are:
a) rewrite the code or
b) set register_globals with .htaccess or php.ini
or in virtualhost in httpd.conf
http://www.php.net/manual/en/configuration.changes.php
Now if you must set it at runtime (please do not do this)
then you could try this:
// THIS IS NOT RECOMMENDED
if (!ini_get('register_globals')) {
$types_to_register = array('GET','POST','COOKIE',
'SESSION','SERVER');
foreach ($types_to_register as $type) {
if (@count(${'HTTP_' . $type . '_VARS'}) 0) {
extract(${'HTTP_' . $type . '_VARS'}, EXTR_OVERWRITE);
}
}
}
// THIS IS NOT RECOMMENDED
Although it doesn't depend on the variables_order directive
like register_globals does, it is flexible. Keep in mind
that variables are written from first to last so you
certainly don't want GET coming after SERVER.
Regards,
Philip
Davy Obdam [EMAIL PROTECTED] wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
Hello people,
On my development machine (win XP/Apache 2.0.44/PHP 4.3.0/MySQL 3.23.55)
i have several websites that i made some time ago that require register
globals to be On in the php.ini. Ofcourse i know thats not a good idea
at all for security, but rewriting all this code is not an option.
However in my php.ini i have set register globals to Off because that
better. Is it possible to configure my webserver/php so that only those
sites that require register globals to be On have that setting, for
instance in a .htacces file?? Any help is appreciated:-)
Best regards,
Davy Obdam
mailto:[EMAIL PROTECTED]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
