Re: [PHP] register_globals and sessions
On Wed, Nov 25, 2009 at 3:01 PM, Allen McCabe allenmcc...@gmail.com wrote: *Warning*: Unknown: Your script possibly relies on a session side-effect which existed until PHP 4.2.3. Please be advised that the session extension does not consider global variables as a source of data, unless register_globals is enabled. You can disable this functionality and this warning by setting session.bug_compat_42 or session.bug_compat_warn to off, respectively in *Unknown* on line *0* It sounds like you're trying to use $_SESSION without having a session_start() call first. I have Googled this extensively, and the solutions other people tried (turning off the warning) don't work for me; I don't have permission to my PHP settings (currently working on a free-hosted site). There are many settings that can be changed using the function ini_set (http://php.net/ini_set) and display_errors is one of them. That said, it is always best to fix stuff like this than just hiding it. When you just hide errors/warnings/notices things don't always work reliably. HTH, Brady -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] register_globals and magic_quotes_gpc (again)
Are you running PHP as a Module or as CGI or FCGI? Look at phpinfo() output to be SURE. If it's not running as a Module, none of those directives are defined, because Apache (which implements .htaccess) has no friggin' idea what php_value or php_flag is without PHP Module there to tell it. On Wed, June 6, 2007 11:06 pm, Afan Pasalic wrote: hi, this question is already posted thousand times. but, after I tried for 2 hours to figure it out, I gave up and posted the question here. I'm rebuilding one site. php 4.4.4 as usual, register_globals on, as well as magic_quotes. I tried to turn it off using .htaccess but what ever I change in the (already existing) file, I would get 500 Internal Server Error this is content of the .htaccess file: # -FrontPage- IndexIgnore .htaccess */.??* *~ *# */HEADER* */README* */_vti* Limit GET POST order deny,allow deny from all allow from all /Limit Limit PUT DELETE order deny,allow deny from all /Limit AuthName mkl1332 AuthUserFile /u/web/afan/_vti_pvt/service.pwd AuthGroupFile /u/web/afan/_vti_pvt/service.grp and I tried to add php_flag register_globals Off and it doesn't work (500 internal server error) I tried with register_global 0 - same thing. could you please point me where to look after? thanks for any help. -afan -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- Some people have a gift link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] register_globals and magic_quotes_gpc (again)
On 6/7/07, Afan Pasalic [EMAIL PROTECTED] wrote: hi, this question is already posted thousand times. but, after I tried for 2 hours to figure it out, I gave up and posted the question here. I'm rebuilding one site. php 4.4.4 as usual, register_globals on, as well as magic_quotes. I tried to turn it off using .htaccess but what ever I change in the (already existing) file, I would get 500 Internal Server Error this is content of the .htaccess file: # -FrontPage- IndexIgnore .htaccess */.??* *~ *# */HEADER* */README* */_vti* Limit GET POST order deny,allow deny from all allow from all /Limit Limit PUT DELETE order deny,allow deny from all /Limit AuthName mkl1332 AuthUserFile /u/web/afan/_vti_pvt/service.pwd AuthGroupFile /u/web/afan/_vti_pvt/service.grp and I tried to add php_flag register_globals Off and it doesn't work (500 internal server error) I tried with register_global 0 - same thing. could you please point me where to look after? thanks for any help. -afan Are you sure the rest of your .htaccess file is correct? And what does your Apache error log show you? there should be an error... Tijnema -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] register_globals and magic_quotes_gpc (again)
Tijnema wrote: On 6/7/07, Afan Pasalic [EMAIL PROTECTED] wrote: hi, this question is already posted thousand times. but, after I tried for 2 hours to figure it out, I gave up and posted the question here. I'm rebuilding one site. php 4.4.4 as usual, register_globals on, as well as magic_quotes. I tried to turn it off using .htaccess but what ever I change in the (already existing) file, I would get 500 Internal Server Error this is content of the .htaccess file: # -FrontPage- IndexIgnore .htaccess */.??* *~ *# */HEADER* */README* */_vti* Limit GET POST order deny,allow deny from all allow from all /Limit Limit PUT DELETE order deny,allow deny from all /Limit AuthName mkl1332 AuthUserFile /u/web/afan/_vti_pvt/service.pwd AuthGroupFile /u/web/afan/_vti_pvt/service.grp and I tried to add php_flag register_globals Off and it doesn't work (500 internal server error) I tried with register_global 0 - same thing. could you please point me where to look after? thanks for any help. -afan Are you sure the rest of your .htaccess file is correct? And what does your Apache error log show you? there should be an error... Tijnema The .htaccess file is original, from hosting company, pre-installed. I can't access to apache error log. -afan -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] register_globals and passing variables
Hi Jeff, You want to leave register_globals OFF. Depending on how $charid is passed, you want to use $_POST or $_GET: $charid = $_POST['charid']; or $charid = $_GET['charid']; I think you'll need to do the same for your $db_select variable. Is that what you're after? Regards, Bruce Jeff [EMAIL PROTECTED] 14/03/2007 4:01 p.m. Ok, all I am new to PHP MySQL. (please don't let this scare you off) I had my site hosted with Gisol.com and due to their very poor service and tech support I left them for Lunarpages.com who so far have a better service and their tech support is excellent!! But my pages won't pass variables any more. When I started I purchased two books MySQL and PHP MySQL both published by O'Riely. So far the are excellent help and instructors. I wote some pages where I track users and their characters from an on-line game called World of Warcraft. On the Gisol server they were working EXCELLENT!! Once I moved to Lunarpages, the pages load ok but they don't pass the variables from one page to another. The below code queries the db and list's the user's in a table, and has a hyperlink to the right of each, on Gisol I could click the link and it would load the view_char.php page and it listed their character and the info i needed, and gave options to delete and edit. Again it was working beautifully. VIEW USERS PAGE CODE: $sql=SELECT f_name, l_name, char_id, char_name, char_level FROM t_char, t_users where t_users.user_id = t_char.user_link ORDER BY char_name ASC; mysql_select_db($db_select,$db); $result = mysql_query($sql,$db); echo TABLE border=2; echoTRTDBCharacter Name/BTDBCharacter Level/BTDBOwner/B/TR; while ($myrow = mysql_fetch_array($result)) { echo TRTD.$myrow[char_name].TD.$myrow[char_level].TD.$myrow[f_name]. .$myrow[l_name]; echo TDA href=\view_char.php?charid=.$myrow[char_id].\View/A; } //$charid=[.$myrow[char_id].]; - I tried this line with no success. Possibly have it in the wrong place?? echo/TABLE; VIEW_CHAR PAGE CODE $sql = SELECT * FROM `t_char` WHERE `t_char`.`char_id` = '$charid'; -- now all this does is produce a blank page... used to work great! //$sql = SELECT * FROM `t_char` WHERE `t_char`.`char_id` = '21'; - i used this code to test the page w/o the $charid string and it works FINE!! $result=mysql_query( $sql ); if (!$result) { die(Could not query the database: br /.mysql_error()); } I wrote a help ticket to Lunarpages where I am now hosted and asked them to set the register_globals to ON thinking this was the problem based on what I've read and the wrote back and told me that they use suPHP to parse php files and I have the option of using custom php.ini files. That I could create a .htaccess file or put individual php.ini files in the folder that contains the files im running. In other words do it myself. So I created this file: [PHP] register_globals = on named it php.ini and dropped it in the folder with all of my files. It didn't help any. So I added this line to the first file include ('php.ini'); all it does is add :[PHP] register_globals = on as text at the top of my page now. At this point im lost!! I don't know what to do to get my A href=\view_char.php?charid=.$myrow[char_id]. to equal $charid in the following pages. Any help you could provide me would GREATLY be APPRECIATED!!! Signed, I'm trying -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] register_globals and passing variables
Firstly, welcome to PHP. :-) Secondly, that's not how you would enable register_globals if they're not enabled. Thirdly, you do not want to turn on register_globals. register globals are a security risk. They're disabled by default on any recent (within the past 5 years) version of PHP, although some web hosts foolishly turn them on to be compatible with code written 8 years ago that shouldn't be used anymore. :-) Instead, access the proper super-global to get the data you want. For instance: $_GET['charid'] Will have the value of the charid GET parameter passed on the URL like so: http://example.com/index.php?charid=5 There's also $_POST['charid'], which would check just a POST request. Use those instead of just $charid. Also, you'll want to ensure that they're the data type you expect to avoid SQL injection, a security risk. For instance, assuming you know the character ID will be an integer: $charid = (int)$_GET['charid']; Or even better: $charid = isset($_GET['charid']) ? (int)$_GET['charid'] : 0; That's the ternary operator, which is useful for setting defaults in cases where, for instance, no charid was passed at all. That way you get back a 0, so you know you have a value and that it's an integer. Thank you for taking PHP Security 101 in a Nutshell. :-) Cheers. On Tuesday 13 March 2007 10:01 pm, Jeff wrote: Ok, all I am new to PHP MySQL. (please don't let this scare you off) I had my site hosted with Gisol.com and due to their very poor service and tech support I left them for Lunarpages.com who so far have a better service and their tech support is excellent!! But my pages won't pass variables any more. When I started I purchased two books MySQL and PHP MySQL both published by O'Riely. So far the are excellent help and instructors. I wote some pages where I track users and their characters from an on-line game called World of Warcraft. On the Gisol server they were working EXCELLENT!! Once I moved to Lunarpages, the pages load ok but they don't pass the variables from one page to another. The below code queries the db and list's the user's in a table, and has a hyperlink to the right of each, on Gisol I could click the link and it would load the view_char.php page and it listed their character and the info i needed, and gave options to delete and edit. Again it was working beautifully. VIEW USERS PAGE CODE: $sql=SELECT f_name, l_name, char_id, char_name, char_level FROM t_char, t_users where t_users.user_id = t_char.user_link ORDER BY char_name ASC; mysql_select_db($db_select,$db); $result = mysql_query($sql,$db); echo TABLE border=2; echoTRTDBCharacter Name/BTDBCharacter Level/BTDBOwner/B/TR; while ($myrow = mysql_fetch_array($result)) { echo TRTD.$myrow[char_name].TD.$myrow[char_level].TD.$myrow[f _name]. .$myrow[l_name]; echo TDA href=\view_char.php?charid=.$myrow[char_id].\View/A; } //$charid=[.$myrow[char_id].]; - I tried this line with no success. Possibly have it in the wrong place?? echo/TABLE; VIEW_CHAR PAGE CODE $sql = SELECT * FROM `t_char` WHERE `t_char`.`char_id` = '$charid'; -- now all this does is produce a blank page... used to work great! //$sql = SELECT * FROM `t_char` WHERE `t_char`.`char_id` = '21'; - i used this code to test the page w/o the $charid string and it works FINE!! $result=mysql_query( $sql ); if (!$result) { die(Could not query the database: br /.mysql_error()); } I wrote a help ticket to Lunarpages where I am now hosted and asked them to set the register_globals to ON thinking this was the problem based on what I've read and the wrote back and told me that they use suPHP to parse php files and I have the option of using custom php.ini files. That I could create a .htaccess file or put individual php.ini files in the folder that contains the files im running. In other words do it myself. So I created this file: [PHP] register_globals = on named it php.ini and dropped it in the folder with all of my files. It didn't help any. So I added this line to the first file include ('php.ini'); all it does is add :[PHP] register_globals = on as text at the top of my page now. At this point im lost!! I don't know what to do to get my A href=\view_char.php?charid=.$myrow[char_id]. to equal $charid in the following pages. Any help you could provide me would GREATLY be APPRECIATED!!! Signed, I'm trying -- Larry Garfield AIM: LOLG42 [EMAIL PROTECTED] ICQ: 6817012 If nature has made any one thing less susceptible than all others of exclusive property, it is the action of the thinking power called an idea, which an individual may exclusively possess as long as he keeps it to himself; but the moment it is divulged, it forces itself into the possession of every one, and the receiver cannot dispossess himself of it. -- Thomas Jefferson -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit:
Re: [PHP] register_globals
Hello, Sunday, April 4, 2004, 1:17:53 AM, you wrote: n Why i cann't change register_globals value with ini_set()? Because it's a system level configuration value - you cannot change it in your scripts. register_globals supports PHP_INI_PERDIR and PHP_INI_SYSTEM - meaning it can only be changed in the php.ini file or an htaccess file. -- Best regards, Richard Davey http://www.phpcommunity.org/wiki/296.html -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] register_globals problem
[snip] I have a webpage that needs to use some specific php.ini settings different from other php applications on my web server. I have created a .htaccess file with the following content: php_flag register_globals 1 php_flag error_reporting E_ALL ~E_NOTICE It works fine, but only on Mozilla and Netscape. Internet explorer cannot process the content of this web page. The URL is http://e-technics.com/dorna/ . Anyone knows the remedy for this strange behaviour? [/snip] Since PHP is server-side and IE is client-side it is probably not a problem with PHP. (I was able to replicate the problem you described) It could be a problem with Apache though, try adding AddType application/x-httpd-php .php to the .htaccess file. I don't think that will solve the problem though. Put a page in that directory called test.php with only ?php phpinfo(); ? and see if that will load properly. I have also seen this problem caused by JavaScript (you'll have to ask on a JavaScript list) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] register_globals problem
Jay Blanchard wrote: [snip] I have a webpage that needs to use some specific php.ini settings different from other php applications on my web server. I have created a .htaccess file with the following content: php_flag register_globals 1 php_flag error_reporting E_ALL ~E_NOTICE It works fine, but only on Mozilla and Netscape. Internet explorer cannot process the content of this web page. The URL is http://e-technics.com/dorna/ . Anyone knows the remedy for this strange behaviour? [/snip] Since PHP is server-side and IE is client-side it is probably not a problem with PHP. (I was able to replicate the problem you described) It could be a problem with Apache though, try adding AddType application/x-httpd-php .php to the .htaccess file. I don't think that will solve the problem though. Put a page in that directory called test.php with only ?php phpinfo(); ? and see if that will load properly. I have also seen this problem caused by JavaScript (you'll have to ask on a JavaScript list) It doesn't work at all if I put AddType application/x-httpd-php .php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] register_globals problem
[snip] Put a page in that directory called test.php with only ?php phpinfo(); ? It doesn't work at all if I put AddType application/x-httpd-php .php [/snip] Did you try the test.php above? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] register_globals problem
The only problem I see with that is that you're using the constants E_ALL and E_NOTICE in the .htaccess file. You can't use constants there, you need to use the actual number. (2047 ~8) == 2039: php_flag register_globals 1 php_flag error_reporting 2039 Chris -Original Message- From: Bogdan Albei [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 03, 2003 4:43 AM To: [EMAIL PROTECTED] Subject: [PHP] register_globals problem I have a webpage that needs to use some specific php.ini settings different from other php applications on my web server. I have created a .htaccess file with the following content: php_flag register_globals 1 php_flag error_reporting E_ALL ~E_NOTICE It works fine, but only on Mozilla and Netscape. Internet explorer cannot process the content of this web page. The URL is http://e-technics.com/dorna/ . Anyone knows the remedy for this strange behaviour? Bogdan Albei eTechnics www.e-technics.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] register_globals problem
Heh, sorry about that.. one more thing, php_flag is only for bollean values, this should work: php_flag register_globals on php_value error_reporting 2039 -Original Message- From: Chris [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 03, 2003 9:10 AM To: [EMAIL PROTECTED] Subject: RE: [PHP] register_globals problem The only problem I see with that is that you're using the constants E_ALL and E_NOTICE in the .htaccess file. You can't use constants there, you need to use the actual number. (2047 ~8) == 2039: php_flag register_globals 1 php_flag error_reporting 2039 Chris -Original Message- From: Bogdan Albei [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 03, 2003 4:43 AM To: [EMAIL PROTECTED] Subject: [PHP] register_globals problem I have a webpage that needs to use some specific php.ini settings different from other php applications on my web server. I have created a .htaccess file with the following content: php_flag register_globals 1 php_flag error_reporting E_ALL ~E_NOTICE It works fine, but only on Mozilla and Netscape. Internet explorer cannot process the content of this web page. The URL is http://e-technics.com/dorna/ . Anyone knows the remedy for this strange behaviour? Bogdan Albei eTechnics www.e-technics.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] register_globals problem
Jay Blanchard wrote: [snip] Put a page in that directory called test.php with only ?php phpinfo(); ? It doesn't work at all if I put AddType application/x-httpd-php .php [/snip] Did you try the test.php above? Yes, I have. Doesn't work. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] register_globals problem
[snip] Did you try the test.php above? Yes, I have. Doesn't work. [/snip] Then your httpd.conf in not configured properly. It would appear to me that PHP is not working at all. I went to the URL inquestion and did not find this test page, so it will be hard for me to help you. Does PHP work anywhere on your server? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] register_globals problem
Chris wrote: Heh, sorry about that.. one more thing, php_flag is only for bollean values, this should work: php_flag register_globals on php_value error_reporting 2039 -Original Message- From: Chris [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 03, 2003 9:10 AM To: [EMAIL PROTECTED] Subject: RE: [PHP] register_globals problem The only problem I see with that is that you're using the constants E_ALL and E_NOTICE in the .htaccess file. You can't use constants there, you need to use the actual number. (2047 ~8) == 2039: php_flag register_globals 1 php_flag error_reporting 2039 Chris -Original Message- From: Bogdan Albei [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 03, 2003 4:43 AM To: [EMAIL PROTECTED] Subject: [PHP] register_globals problem I have a webpage that needs to use some specific php.ini settings different from other php applications on my web server. I have created a .htaccess file with the following content: php_flag register_globals 1 php_flag error_reporting E_ALL ~E_NOTICE It works fine, but only on Mozilla and Netscape. Internet explorer cannot process the content of this web page. The URL is http://e-technics.com/dorna/ . Anyone knows the remedy for this strange behaviour? Bogdan Albei eTechnics www.e-technics.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php It doesn't work. After all a script that contains only phpinfo() (e-technics.com/dorna/info.php) works OK, but the webpage, which is a PhpNuke doesn't work. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] register_globals problem
[snip] It doesn't work. After all a script that contains only phpinfo() (e-technics.com/dorna/info.php) works OK, but the webpage, which is a PhpNuke doesn't work. [/snip] Actually info.php works in IE and reports register_global is ON locally (within that directory). Therefore, as I stated earlier, it is not a PHP problem. It is either an Apache configuration problem or a problem within the HTML/CSS/JavaScript code that is hanging IE. I have seen both CSS and JavaScript do this behavior. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] register_globals problem
Jay Blanchard wrote: [snip] It doesn't work. After all a script that contains only phpinfo() (e-technics.com/dorna/info.php) works OK, but the webpage, which is a PhpNuke doesn't work. [/snip] Actually info.php works in IE and reports register_global is ON locally (within that directory). Therefore, as I stated earlier, it is not a PHP problem. It is either an Apache configuration problem or a problem within the HTML/CSS/JavaScript code that is hanging IE. I have seen both CSS and JavaScript do this behavior. If I create an PHP environment such that I don't need to override register_globals and error_reporting with a .htaccess file it works just fine, so I guess the problem is in the .htaccess file. I posted my httpd.conf file at http://e-technics.com/dorna/httpd.conf. If I comment the lines Directory /usr/local/apache/htdocs/dorna AllowOverride All /Directory that makes the override possible, the page works fine, but I don't have register_globals and error_reporting as I want them. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] register_globals problem
[snip] If I create an PHP environment such that I don't need to override register_globals and error_reporting with a .htaccess file it works just fine, so I guess the problem is in the .htaccess file. I posted my httpd.conf file at http://e-technics.com/dorna/httpd.conf. If I comment the lines Directory /usr/local/apache/htdocs/dorna AllowOverride All /Directory that makes the override possible, the page works fine, but I don't have register_globals and error_reporting as I want them. [/snip] Actually, according to the info.php page for that directory register_globals is ON as you desire...correct? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] register_globals problem
Jay Blanchard wrote: [snip] If I create an PHP environment such that I don't need to override register_globals and error_reporting with a .htaccess file it works just fine, so I guess the problem is in the .htaccess file. I posted my httpd.conf file at http://e-technics.com/dorna/httpd.conf. If I comment the lines Directory /usr/local/apache/htdocs/dorna AllowOverride All /Directory that makes the override possible, the page works fine, but I don't have register_globals and error_reporting as I want them. [/snip] Actually, according to the info.php page for that directory register_globals is ON as you desire...correct? Correct, the .htaccess file overides just fine register_globals and error_reporting but somehow Internet Explorer and Konqueror does not load the page. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] register_globals problem
[snip] Actually, according to the info.php page for that directory register_globals is ON as you desire...correct? Correct, the .htaccess file overides just fine register_globals and error_reporting but somehow Internet Explorer and Konqueror does not load the page. [/snip] But IE and Konqueror both load the info.php correctly from my end. It is the index.php for Nukemods.com that gets hosed in those browsers. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] register_globals problem
Jay Blanchard wrote: [snip] Actually, according to the info.php page for that directory register_globals is ON as you desire...correct? Correct, the .htaccess file overides just fine register_globals and error_reporting but somehow Internet Explorer and Konqueror does not load the page. [/snip] But IE and Konqueror both load the info.php correctly from my end. It is the index.php for Nukemods.com that gets hosed in those browsers. So you're saying that index.php is broken? Then why it gets loaded fine if I delete the .htaccess file? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] register_globals problem
[snip] But IE and Konqueror both load the info.php correctly from my end. It is the index.php for Nukemods.com that gets hosed in those browsers. So you're saying that index.php is broken? Then why it gets loaded fine if I delete the .htaccess file? [/snip] That is exactly what I am saying. Is the .htacesss file deleted now? I'll go and see if it works. Leave both the index.php and the info.php in the directory. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] register_globals problem
Jay Blanchard wrote: [snip] But IE and Konqueror both load the info.php correctly from my end. It is the index.php for Nukemods.com that gets hosed in those browsers. So you're saying that index.php is broken? Then why it gets loaded fine if I delete the .htaccess file? [/snip] That is exactly what I am saying. Is the .htacesss file deleted now? I'll go and see if it works. Leave both the index.php and the info.php in the directory. I've deleted the .htaccess file. Both index.php and info.php are in the directory. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] register_globals security
Hi Fernando, I have a PHP application that passes variables (values) from a form. I get these using $_POST However I do also post some variables via a link. Which ofcourse requires register_globals to be ON. Do you mean variables in a URL, like this: www.example.com/index.php?foo=1bar=2 If so you can access these via the $_GET array and leave register_globals turned off. Cheers Jon -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] register_globals security
Thanks. I don't see how this makes it more secure though? The values are still picked up the same way from a URL -Original Message- From: Jon Haworth [mailto:[EMAIL PROTECTED] Sent: 13 November 2003 13:28 To: [EMAIL PROTECTED] Subject: Re: [PHP] register_globals security Hi Fernando, I have a PHP application that passes variables (values) from a form. I get these using $_POST However I do also post some variables via a link. Which ofcourse requires register_globals to be ON. Do you mean variables in a URL, like this: www.example.com/index.php?foo=1bar=2 If so you can access these via the $_GET array and leave register_globals turned off. Cheers Jon -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] register_globals security
On Thu, Nov 13, 2003 at 01:55:08PM +0200, Fernando Melo wrote: : Jon Haworth responded: : : Fernando Melo wrote: : : : : I have a PHP application that passes variables (values) from a form. : : I get these using $_POST : : : : However I do also post some variables via a link. Which ofcourse : : requires register_globals to be ON. : : : : Do you mean variables in a URL, like this: : : www.example.com/index.php?foo=1bar=2 : : : : If so you can access these via the $_GET array and leave : : register_globals turned off. : : Thanks. : : I don't see how this makes it more secure though? : : The values are still picked up the same way from a URL If you want to prevent casual packet sniffing, you need to move your code to a SSL-enabled web server. If you want to minimize data exchange between PHP pages via POST or GET methods, consider switching to sessions. http://www.php.net/manual/en/ref.session.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] register_globals security
Hi, There is also a $_REQUEST variable. At the risk of starting another flame war: IMHO switching off register globals and relying on $_POST etc can lull you into a false sense of security. Fernando Melo wrote: Thanks. I don't see how this makes it more secure though? The values are still picked up the same way from a URL -Original Message- From: Jon Haworth [mailto:[EMAIL PROTECTED] Sent: 13 November 2003 13:28 To: [EMAIL PROTECTED] Subject: Re: [PHP] register_globals security Hi Fernando, I have a PHP application that passes variables (values) from a form. I get these using $_POST However I do also post some variables via a link. Which ofcourse requires register_globals to be ON. Do you mean variables in a URL, like this: www.example.com/index.php?foo=1bar=2 If so you can access these via the $_GET array and leave register_globals turned off. Cheers Jon -- Raditha Dissanayake. http://www.radinks.com/sftp/ | http://www.raditha.com/megaupload Lean and mean Secure FTP applet with | Mega Upload - PHP file uploader Graphical User Inteface. Just 150 KB | with progress bar. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] register_globals security
Yup I still don't see how it improves anything with regards to security. -Original Message- From: Raditha Dissanayake [mailto:[EMAIL PROTECTED] Sent: 13 November 2003 15:24 To: [EMAIL PROTECTED] Subject: Re: [PHP] register_globals security Hi, There is also a $_REQUEST variable. At the risk of starting another flame war: IMHO switching off register globals and relying on $_POST etc can lull you into a false sense of security. Fernando Melo wrote: Thanks. I don't see how this makes it more secure though? The values are still picked up the same way from a URL -Original Message- From: Jon Haworth [mailto:[EMAIL PROTECTED] Sent: 13 November 2003 13:28 To: [EMAIL PROTECTED] Subject: Re: [PHP] register_globals security Hi Fernando, I have a PHP application that passes variables (values) from a form. I get these using $_POST However I do also post some variables via a link. Which ofcourse requires register_globals to be ON. Do you mean variables in a URL, like this: www.example.com/index.php?foo=1bar=2 If so you can access these via the $_GET array and leave register_globals turned off. Cheers Jon -- Raditha Dissanayake. http://www.radinks.com/sftp/ | http://www.raditha.com/megaupload Lean and mean Secure FTP applet with | Mega Upload - PHP file uploader Graphical User Inteface. Just 150 KB | with progress bar. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] register_globals security
[snip] There is also a $_REQUEST variable. At the risk of starting another flame war: IMHO switching off register globals and relying on $_POST etc can lull you into a false sense of security. [/snip] ***applause*** Bottom-lineas I just said in another threadinitialize your variables and validate them when you get them from 'outside' sources -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] register_globals security
Hi, Jay and Eugene have already made very good suggestions. To add to that you can always try filtering your variables with strip_tags(), htmlspecialchars(), addslashes() etc to protect against attacks. all the best Fernando Melo wrote: Yup I still don't see how it improves anything with regards to security. -Original Message- From: Raditha Dissanayake [mailto:[EMAIL PROTECTED] Sent: 13 November 2003 15:24 To: [EMAIL PROTECTED] Subject: Re: [PHP] register_globals security Hi, There is also a $_REQUEST variable. At the risk of starting another flame war: IMHO switching off register globals and relying on $_POST etc can lull you into a false sense of security. Fernando Melo wrote: Thanks. I don't see how this makes it more secure though? The values are still picked up the same way from a URL -- Raditha Dissanayake. http://www.radinks.com/sftp/ | http://www.raditha.com/megaupload Lean and mean Secure FTP applet with | Mega Upload - PHP file uploader Graphical User Inteface. Just 150 KB | with progress bar. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] register_globals security
--- Fernando Melo [EMAIL PROTECTED] wrote: I have a PHP application that passes variables (values) from a form. I get these using $_POST However I do also post some variables via a link. Which ofcourse requires register_globals to be ON. This is a common problem I see on this list. When asking a question, try not to make assumptions or attempt to answer your own question. In this case, your assumption is wrong. This does not require register_globals to be on. Get variables are in $_GET, and POST variables are in $_POST. Hope that helps. Chris = My Blog http://shiflett.org/ HTTP Developer's Handbook http://httphandbook.org/ RAMP Training Courses http://www.nyphp.org/ramp -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] register_globals security
--- Raditha Dissanayake [EMAIL PROTECTED] wrote: At the risk of starting another flame war: IMHO switching off register globals and relying on $_POST etc can lull you into a false sense of security. I agree, and this is more true with the safe_mode directive, which I have always thought was poorly named (although I don't have a better suggestion). Disabling register_globals is a good thing, however, and it at least forces developers to understand where their data is coming from. This is a good first step, in my opinion. Chris = My Blog http://shiflett.org/ HTTP Developer's Handbook http://httphandbook.org/ RAMP Training Courses http://www.nyphp.org/ramp -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] register_globals security
I was not making an assumption. I was stating a fact. I get these using $_POST I did NOT state that register_globals needs to be on to do what I'm doing. It seems everyone else understood my query except you. Thanks to everyone who tried to help! -Original Message- From: Chris Shiflett [mailto:[EMAIL PROTECTED] Sent: 13 November 2003 17:07 To: Fernando Melo; '[EMAIL PROTECTED]' Subject: Re: [PHP] register_globals security --- Fernando Melo [EMAIL PROTECTED] wrote: I have a PHP application that passes variables (values) from a form. I get these using $_POST However I do also post some variables via a link. Which ofcourse requires register_globals to be ON. This is a common problem I see on this list. When asking a question, try not to make assumptions or attempt to answer your own question. In this case, your assumption is wrong. This does not require register_globals to be on. Get variables are in $_GET, and POST variables are in $_POST. Hope that helps. Chris = My Blog http://shiflett.org/ HTTP Developer's Handbook http://httphandbook.org/ RAMP Training Courses http://www.nyphp.org/ramp -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] register_globals security
--- Fernando Melo [EMAIL PROTECTED] wrote: I was not making an assumption. I was stating a fact. I get these using $_POST I did NOT state that register_globals needs to be on to do what I'm doing. If you're going to make false claims about what you previously said, you might want to snip out that part when replying. :-) --- Fernando Melo [EMAIL PROTECTED] wrote: Which ofcourse requires register_globals to be ON. Chris = My Blog http://shiflett.org/ HTTP Developer's Handbook http://httphandbook.org/ RAMP Training Courses http://www.nyphp.org/ramp -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] register_globals
[snip] With the function phpinfo I have see that the Master Value is Off and the= Load Value is On but the site don't running successfully. With suse8.1 with php4.2.2 I have nothing problem. Any idea ? [/snip] Does the site rely on files outside of that directory? Do you 'allow overrides' for the directory in Apache? (httpd.conf) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] register_globals
--- [EMAIL PROTECTED] wrote: In the php.ini I have set the registr_globals=3D Off I'm assuming that 3D was put in there by some faulty mail client? Also, make sure you spell it register_globals. php_flag register_globals on for only this site. With the function phpinfo I have see that the Master Value is Off and the Load Value is On but the site don't running successfully. Well, that sounds like what you are trying to do? What is wrong exactly? Not every error is the fault of register_globals, after all. :-) Chris = My Blog http://shiflett.org/ HTTP Developer's Handbook http://httphandbook.org/ RAMP Training Courses http://www.nyphp.org/ramp -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] register_globals
--- [EMAIL PROTECTED] wrote: The problem concern: The correct site is: www.gardafun.com with apache.1.3.27 and php-4.0.6 with register_globals = On The new webserver is 213.21.138.119 with suse8.2 apache1.3.27 and php-4.3.3 with register_globals=off in the php.ini and in the .htaccess the directive: php_flag register_globals on The same sites don't work in the new websites but with the phpinfo I see that the Load Value for register_globals for this site is On. You need to explain what is wrong. You seem confident that register_globals is your problem, but you've not told us why you think so. Chris = My Blog http://shiflett.org/ HTTP Developer's Handbook http://httphandbook.org/ RAMP Training Courses http://www.nyphp.org/ramp -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] register_globals
Please include the list in all of your replies. I skim message subjects and don't read all messages. If you reply only to me, there's a good chance it will not be read, and no one else will have a chance to answer your question. --- [EMAIL PROTECTED] wrote: As i know, if register_globals is turned to on, my site should run as on a 4.0.6 php server, right? No, register_globals is not the only change that has been made to PHP since 4.0.6. That would be the only way that enabling register_globals on a new version of PHP would be guaranteed to run exactly like version 4.0.6. But it doesn't run correctly, quieres are not working and others many problems. You really need to explain what your problem is. This is the third time you've been asked to do so. We cannot possibly read your mind and answer a question you have not asked. Chris = My Blog http://shiflett.org/ HTTP Developer's Handbook http://httphandbook.org/ RAMP Training Courses http://www.nyphp.org/ramp -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] register_globals won't turn off!
I don't know much about this, but could it have been cached? Cristian Damon Kohler wrote: Well, it does turn off. At least phpinfo() says that it's off. However, PHP is acting as though it's still turned on. The source code for the page I'm using to test this odd result is: html head /head body form action=?=$_SERVER['PHP_SELF']? method=post input name=test input type=submit /form /body /html ?php print $test; phpinfo(); I'm running PHP 4.3.3 on RH7. When the form is submited, the value is printed despite the fact it's printing $test and not $_POST['test']. This is copy pasted from the results: register_argc_argv Off Off register_globals Off Off I'm completely stumped. Thanks in advance, Damon -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] register_globals won't turn off!
No, it's not cached. I can type in anything to the input and it'll show up. As in, if I type test into the form, it prints test. Then if I type hello world it'll print hello world. So I'm pretty sure caching isn't the problem. Damon Cristian Lavaque [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] I don't know much about this, but could it have been cached? Cristian Damon Kohler wrote: Well, it does turn off. At least phpinfo() says that it's off. However, PHP is acting as though it's still turned on. The source code for the page I'm using to test this odd result is: html head /head body form action=?=$_SERVER['PHP_SELF']? method=post input name=test input type=submit /form /body /html ?php print $test; phpinfo(); I'm running PHP 4.3.3 on RH7. When the form is submited, the value is printed despite the fact it's printing $test and not $_POST['test']. This is copy pasted from the results: register_argc_argv Off Off register_globals Off Off I'm completely stumped. Thanks in advance, Damon -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] register_globals won't turn off!
Are you using third party code that might be doing the export to global space itself? Rob. On Sat, 2003-09-27 at 22:21, Damon Kohler wrote: No, it's not cached. I can type in anything to the input and it'll show up. As in, if I type test into the form, it prints test. Then if I type hello world it'll print hello world. So I'm pretty sure caching isn't the problem. Damon Cristian Lavaque [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] I don't know much about this, but could it have been cached? Cristian Damon Kohler wrote: Well, it does turn off. At least phpinfo() says that it's off. However, PHP is acting as though it's still turned on. The source code for the page I'm using to test this odd result is: html head /head body form action=?=$_SERVER['PHP_SELF']? method=post input name=test input type=submit /form /body /html ?php print $test; phpinfo(); I'm running PHP 4.3.3 on RH7. When the form is submited, the value is printed despite the fact it's printing $test and not $_POST['test']. This is copy pasted from the results: register_argc_argv Off Off register_globals Off Off I'm completely stumped. Thanks in advance, Damon -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- .. | InterJinn Application Framework - http://www.interjinn.com | :: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] register_globals won't turn off!
I don't think so... You have something particular in mind? You can check out the page itself at http://my.innermetrix.cc/test.php Damon Robert Cummings [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Are you using third party code that might be doing the export to global space itself? Rob. On Sat, 2003-09-27 at 22:21, Damon Kohler wrote: No, it's not cached. I can type in anything to the input and it'll show up. As in, if I type test into the form, it prints test. Then if I type hello world it'll print hello world. So I'm pretty sure caching isn't the problem. Damon Cristian Lavaque [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] I don't know much about this, but could it have been cached? Cristian Damon Kohler wrote: Well, it does turn off. At least phpinfo() says that it's off. However, PHP is acting as though it's still turned on. The source code for the page I'm using to test this odd result is: html head /head body form action=?=$_SERVER['PHP_SELF']? method=post input name=test input type=submit /form /body /html ?php print $test; phpinfo(); I'm running PHP 4.3.3 on RH7. When the form is submited, the value is printed despite the fact it's printing $test and not $_POST['test']. This is copy pasted from the results: register_argc_argv Off Off register_globals Off Off I'm completely stumped. Thanks in advance, Damon -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- .. | InterJinn Application Framework - http://www.interjinn.com | :: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] register_globals won't turn off!
On Sat, 27 Sep 2003 20:05:10 -0400 Damon Kohler [EMAIL PROTECTED] wrote: Well, it does turn off. At least phpinfo() says that it's off. However, PHP is acting as though it's still turned on. The source code for the page I'm using to test this odd result is: snip I'm running PHP 4.3.3 on RH7. When the form is submited, the value is printed despite the fact it's printing $test and not $_POST['test']. This is copy pasted from the results: register_argc_argv Off Off register_globals Off Off I'm completely stumped. Thanks in advance, Damon Did you reload your http server? -- Raquel If our words are not consistent with our actions, they will never be heard above the thunder of our deeds. --H. Burke Peterson -- Raquel If our words are not consistent with our actions, they will never be heard above the thunder of our deeds. --H. Burke Peterson -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] register_globals
Rather than turning on register globals system wide I'd use .htaccess to enable register globals for the specific sites or applications that require them. Because the super globals have been introduced the problem with register globals and application security may be more prounounced for applications that don't expect them to be on (granted they should check and make sure they are off but you never know :)). The PHP manual has a section on alterting PHP's configuration with the .htaccess file. Jason Deependra b. Tandukar wrote: Hi, I have configured PHP 4.3.3 in which register_gloabals is set to be off. I modified etc/php.ini and set it to be On but still it shows it is off and some developed applications in php are asking for it to be turned on. How do I do this? Regards, DT -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] register_globals
Deependra b. Tandukar wrote: Hi, I have configured PHP 4.3.3 in which register_gloabals is set to be off. I modified etc/php.ini and set it to be On but still it shows it is off and some developed applications in php are asking for it to be turned on. How do I do this? Did you restart the web server? Look at a phpinfo() page in the first block for the configuration file setting and make sure you're editing the right php.ini file. -- ---John Holmes... Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/ php|architect: The Magazine for PHP Professionals www.phparch.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] register_globals
Try restarting your apache. -murugesan - Original Message - From: Deependra b. Tandukar [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, September 03, 2003 10:09 AM Subject: [PHP] register_globals Hi, I have configured PHP 4.3.3 in which register_gloabals is set to be off. I modified etc/php.ini and set it to be On but still it shows it is off and some developed applications in php are asking for it to be turned on. How do I do this? Regards, DT -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] register_globals per virtual host
Hi, I think you want to use: php_value register_globals Off I have this setup in VirtualHost's and in .htaccess files. The difference between php_value and php_admin_value is that php_admin_value can not be overridden in a .htaccess file or VirtualHost. So if you want to enforce some settings and allow users to change others you can force them with php_admin_value. -- Abdul-Wahid Paterson Lintrix Networking Communications ltd. Web: http://www.lintrix.net/ Tel: +44 7801 070621 Email/Jabber: [EMAIL PROTECTED] Web-Hosting | Development | Security | Consultancy | Domains signature.asc Description: This is a digitally signed message part
Re: [PHP] Register_globals question
I found a class that allows you to have a multiple page listing, where it displays a certain number of items, and then you click on the next page to show the next results. I found that it needs to have register_globals turned on. I am learning, and would like to have someone look at the class to tell me where in this class register_globals is required. I have emailed the person that created the class, I am just trying to understand this. Mike Here is the class code: ? class pn_buttons{ /* Public Variables */ var $query_total_pages = 0; var $limited_query; var $next_button; var $previous_button; /* Functions */ function pn_buttons($sql, $step, $page=0){ $result = mysql_query( $sql ); $query_total_rows = mysql_num_rows( $result ); // if query return some rows if ( $query_total_rows0 ){ if ( $query_total_rows%$step!=0 ){ $total_pages = intval( $query_total_rows/$step)+1; }else{ $total_pages = $query_total_rows/$step ; } $this-query_total_pages = $total_pages; // if page is set if ( empty($page) ) { $from = 0; $this-current_page= 1; }else{ if ( $page = $this-query_total_pages ) { $from = $step * ( $page - 1 ); $this-current_page= $page; }else{ $from = 0; $this-current_page= 1; } } $this-limited_query = $sql . LIMIT . $from ., . $step; } } // end function // create previous and next buttons function make_buttons( $link, $link_params, $txt_next=next, $txt_previous=previous, $image= ){ if ( $this-query_total_pages1 ){ if ( ($this-current_page $this-query_total_pages) ($this-current_page1) ){ $next_page = $this-current_page+1; $prev_page = $this-current_page-1; $next_lnk = a href='.$link . $link_params . page=. $next_page .'$txt_next/a; $prev_lnk = a href='.$link . $link_params . page=. $prev_page .'$txt_previous/a; }else if( ($this-current_page $this-query_total_pages) ($this-current_page==1) ){ $next_page = $this-current_page+1; $prev_page = ; $next_lnk = a href='.$link . $link_params . page=. $next_page .'$txt_next/a; $prev_lnk = ; }else if( $this-current_page = $this-query_total_pages ){ $next_page = ; $prev_page = $this-current_page-1; $next_lnk = ; $prev_lnk = a href='.$link . $link_params . page=. $prev_page .'$txt_previous/a; } $this-next_button = $next_lnk; $this-previous_button = $prev_lnk; } } // end function // display all pages function count_all_pages( $link, $link_params ){ for ($i=1; $i=$this-query_total_pages; $i++){ if ($i==$this-current_page){ echo b[$i]/b; }else{ echo a href='$link$link_paramspage=$i'[$i]/a; } } } } // end Class Since it's a class, register_global variables would not have any scope within it. Since there are no 'global' calls in any of the methods, it doesn't look like it's relying on any outside variables. Everything this script acts upon is passed to it, so it does not rely on register globals. How this class was implemented may rely on them, though. ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Register_globals question
Well, I know it has something to do with register_globals, because it only starts working when I turn register_globals on. If it is off, the script doesn't work. Here is the php file that calls to the class. It doesn't seem to have anything that is global, but as I said before, I am not very familiar with this. ? mysql_connect(localhost,username,password); mysql_select_db(MyDatabase); // this is a dump variable just for demonstration purposes $cod= 5; // how many rows do you want per page??? $step = 10; # Include class file include (pn.class.php); # the sql query without Limit $sql = select asset_id, developer, title, version, platform from software_assets ORDER BY asset_id; $res= mysql_query( $sql ); $total = mysql_num_rows( $res ); # initiate class # parameters explanation # 1st param : the sql query without Limit expretion # 2nd param : number of elements to display per page. # 3rd param : current page; this should be null # 4rth param : total rows of query //$buttons = new pn_buttons( $sql, $step, $page ); $buttons = new pn_buttons( $sql, $step, $page, $total ); # $buttons-limited_query is the sql query with limit expretion # class create this $res = mysql_query ($buttons-limited_query); echo html body; // table headers describing columns echo table width=\500\ border=\1\ cellspacing=\5\ cellpadding=\3\ tr bgcolor=\#bb\ td align=\center\bAsset ID/b/td td align=\center\bDeveloper/b/td td align=\center\bSoftware Title/b/td td align=\center\bVersion/b/td td align=\center\bPlatform/b/td /tr ; // list elements one by one until there are no more in the database while ( list ( $asset_id, $developer, $title, $version, $platform ) = mysql_fetch_row($res) ){ echo tr td align=\left\a href=\editsoftwareasset.php?id=$asset_id\$asset_id/a/td /td td align=\left\$developer /td td align=\left\$title /td td align=\left\$version /td td align=\left\$platform /td /tr ; } // close table once list elements loop is finished echo /table; // Beginning of prev/next buttons. Will be centered in the table. echo table width=\500\ border=\1\ tr align=\center\ td center; # Create Prev and next buttons # parameters explanation # 1st param : the page that displays results with ? at the end # 2nd param : additional url parameters e.g. cid=$cidtop=$top # 3rd param : Text to display in next link # 4th param : Text to display in previous link $buttons-make_buttons(pn_classexample.php?,cid=$cod,Next Results, Previous Results); # display previous and next links echo $buttons-previous_button . nbsp;nbsp; .$buttons-next_button; # display current page number and total pages number echo brPage . $buttons-current_page . of . $buttons-query_total_pages; echo brbrbr; echo $buttons-count_all_pages(pn_classexample.php?,cid=$cid); ? /center /td /tr /table /body /html On Tuesday, March 18, 2003, at 11:02 AM, CPT John W. Holmes wrote: I found a class that allows you to have a multiple page listing, where it displays a certain number of items, and then you click on the next page to show the next results. I found that it needs to have register_globals turned on. I am learning, and would like to have someone look at the class to tell me where in this class register_globals is required. I have emailed the person that created the class, I am just trying to understand this. Mike Here is the class code: ? class pn_buttons{ /* Public Variables */ var $query_total_pages = 0; var $limited_query; var $next_button; var $previous_button; /* Functions */ function pn_buttons($sql, $step, $page=0){ $result = mysql_query( $sql ); $query_total_rows = mysql_num_rows( $result ); // if query return some rows if ( $query_total_rows0 ){ if ( $query_total_rows%$step!=0 ){ $total_pages = intval( $query_total_rows/$step)+1; }else{ $total_pages = $query_total_rows/$step ; } $this-query_total_pages = $total_pages; // if page is set if ( empty($page) ) { $from = 0; $this-current_page= 1; }else{ if ( $page = $this-query_total_pages ) { $from = $step * ( $page - 1 ); $this-current_page= $page; }else{ $from = 0; $this-current_page= 1; } } $this-limited_query = $sql . LIMIT . $from ., . $step; } } // end function // create previous and next buttons function make_buttons( $link, $link_params, $txt_next=next, $txt_previous=previous, $image= ){ if ( $this-query_total_pages1 ){ if (
RE: [PHP] register_globals On
I'm thinking of running a shopping cart package (osCommerce) that requires register_globals to be enabled. With all the warnings about security with register_globals enabled I'm worried. How dangerous is it? The key defensive step is to initialize all of your session variables at the time you create them, like so: $isAdmin = ''; session_register('isAdmin'); PHP will do the rest ;) Kirk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] register_globals On
Sam, The register_globals can be dangerous to turn on but it really depends on the quality of code that the shopping cart was written. See Examples below for explanation. Say you had a script that looked like this. ?PHP $Q = Select * from Stored CreditCards where User='$User'; . Retrive info from DB . Charge Credit Card . Do Other Stuff. ? With register_globals = on the I could do the following to the URL and force the systsem to bill someone else. chargecredit.php?User=Joe Basically if register_globals = off protects you from that type of URL hacking. It just depends on how it is written and how thought out the shopping cart script is. Hope this helped. Jonathan Pitcher On Monday, February 17, 2003, at 07:09 AM, Sam wrote: I'm thinking of running a shopping cart package (osCommerce) that requires register_globals to be enabled. With all the warnings about security with register_globals enabled I'm worried. How dangerous is it? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] register_globals On
yeh, I'd strongly agree with Jonathan's view that quality of the code can mitigate against the dangers of register_globals. FYI, an interesting article on php vulnerabilities is at: http://www.securereality.com.au/studyinscarlet.txt David Eisenhart Jonathan Pitcher [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Sam, The register_globals can be dangerous to turn on but it really depends on the quality of code that the shopping cart was written. See Examples below for explanation. Say you had a script that looked like this. ?PHP $Q = Select * from Stored CreditCards where User='$User'; . Retrive info from DB . Charge Credit Card . Do Other Stuff. ? With register_globals = on the I could do the following to the URL and force the systsem to bill someone else. chargecredit.php?User=Joe Basically if register_globals = off protects you from that type of URL hacking. It just depends on how it is written and how thought out the shopping cart script is. Hope this helped. Jonathan Pitcher On Monday, February 17, 2003, at 07:09 AM, Sam wrote: I'm thinking of running a shopping cart package (osCommerce) that requires register_globals to be enabled. With all the warnings about security with register_globals enabled I'm worried. How dangerous is it? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] register_globals
three solutions: 1. turn register_globals off for compatibility purposes via .htaccess file in the script's directory 2. create a auto_prepend file with the following: extract($_GET), this should do the trick 3. rewrite the whole code to make any user-input (form) variable to be $_REQUEST or $_GET/$_POST respectively -- Maxim Maletsky [EMAIL PROTECTED] Kiswa [EMAIL PROTECTED] wrote... : I know its stupid but i´ve been writing a site for a register_globals = on enviroment now i need to convert all the code to an off setting the page is built by sending a whole lot off vars to diferent pages. as you can see below the hyperlink sends the id var to the same page and then echos the code. can anyone help humpty dumpty? font size=2a href=left.php?id=1 target=_selfFinansiering/aBR ? If($id==1){ echo a href=info/leas.htm target=\mainFrame\font color=\#00\Leasing/font/aBR a href=info/avb.htm target=\mainFrame\font color=\#00\Räntefri avbet./font/aBR a href=info/stul.htm target=\mainFrame\font color=\#00\Studentlån/font/aBR; }; ? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] register_globals
on 29/01/03 6:41 AM, Kiswa ([EMAIL PROTECTED]) wrote: change If($id==1){ to If($_GET['id']==1){ or put this line near the top of your script: $id = $_GET['id']; or, a little more anal: if(isset($_GET['id'])) { $id = $_GET['id']; } Justin font size=2a href=left.php?id=1 target=_selfFinansiering/aBR ? If($id==1){ echo a href=info/leas.htm target=\mainFrame\font color=\#00\Leasing/font/aBR a href=info/avb.htm target=\mainFrame\font color=\#00\Räntefri avbet./font/aBR a href=info/stul.htm target=\mainFrame\font color=\#00\Studentlån/font/aBR; }; ? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Register_globals = off-compliant form class?
try using pear... On Sat, 2002-11-16 at 22:53, Leif K-Brooks wrote: I'm looking for a good class for forms that will work with register_globals off. I was planning to modify Manuel Lemos's class, but it turned out to be too big of a task. Any ideas? -- The above message is encrypted with double rot13 encoding. Any unauthorized attempt to decrypt it will be prosecuted to the full extent of the law. -- .: B i g D o g :. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Register_globals = off version of Manuel Lemos's form class?
On Wednesday 13 November 2002 23:57, Leif K-Brooks wrote: I am planning to use Manuel Lemos's form class for a web site I am working on. However, I need to have register_globals set to off. I was planning to rewrite the portions of the class that access submitted form values directly to use the suberglobal arrays. When I started, though, I saw how big the class was. I'm wondering if anyone else has already done this, and wouldn't mind sharing their code? Here's what I use: function InjectGlobalVars() { $method = $this-METHOD; switch (strtolower($method)) { case post : if (isset($_POST)) { foreach ($this-inputs as $name = $value) { if (isset($_POST[$name])) { $GLOBALS[$name] = $_POST[$name]; } } } break; case get : if (isset($_GET)) { foreach ($this-inputs as $name = $value) { if (isset($_GET[$name])) { $GLOBALS[$name] = $_GET[$name]; } } } break; } } After I've defined all the form elements I just call the above function. -- Jason Wong - Gremlins Associates - www.gremlins.biz Open Source Software Systems Integrators * Web Design Hosting * Internet Intranet Applications Development * /* My father, a good man, told me, Never lose your ignorance; you cannot replace it. -- Erich Maria Remarque */ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Register_globals = off version of Manuel Lemos's form class?
Even if the method is post, you can have get variables, if the form has action=script.php?get_var=value Jason Wong wrote: On Wednesday 13 November 2002 23:57, Leif K-Brooks wrote: I am planning to use Manuel Lemos's form class for a web site I am working on. However, I need to have register_globals set to off. I was planning to rewrite the portions of the class that access submitted form values directly to use the suberglobal arrays. When I started, though, I saw how big the class was. I'm wondering if anyone else has already done this, and wouldn't mind sharing their code? Here's what I use: function InjectGlobalVars() { $method = $this-METHOD; switch (strtolower($method)) { case post : if (isset($_POST)) { foreach ($this-inputs as $name = $value) { if (isset($_POST[$name])) { $GLOBALS[$name] = $_POST[$name]; } } } break; case get : if (isset($_GET)) { foreach ($this-inputs as $name = $value) { if (isset($_GET[$name])) { $GLOBALS[$name] = $_GET[$name]; } } } break; } } After I've defined all the form elements I just call the above function. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Register_globals = off version of Manuel Lemos's form class?
On Thursday 14 November 2002 03:41, Marek Kilimajer wrote: Even if the method is post, you can have get variables, if the form has action=script.php?get_var=value Yes but I don't (need to) define my forms like that so I don't really care :-) -- Jason Wong - Gremlins Associates - www.gremlins.biz Open Source Software Systems Integrators * Web Design Hosting * Internet Intranet Applications Development * /* Great Moments in History: #3 August 27, 1949: A Hall of Fame opened to honor outstanding members of the Women's Air Corp. It was a WAC's Museum. */ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] register_globals off issues
At 21:05 12.11.2002, Mark Spohr said: [snip] I'm trying to convert this to use $_POST() as such: if ($_POST['form'] == yes) { unset($_POST['form']); } However, this does not work. It appears that you can't unset the $_POST['form'] array element. [snip] unset() works for any variable - also for the superglobals like $_POST. Try this: [cut here] xmp ?php print_r($_POST); echo 'F1 = ', $_POST['f1'], \nF2 = , $_POST['f2'], \n; unset($_POST['f2']); print_r($_POST); ? /xmp form method=POST input type=text name=f1 value=?php echo $_POST['f1'];? br input type=text name=f2 value=?php echo $_POST['f2'];? br input type=submit /form [/cut here] What error do you get? Make sure you're using the correct case - PHP is case sensitive in variable names and associative index keys... -- O Ernest E. Vogelsinger (\)ICQ #13394035 ^ http://www.vogelsinger.at/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] register_globals off or on, why on
I'm working on a site where I'm using geeklog http://geeklog.sourceforge.net/ It has the requirement that Geeklog needs the register_globals variable turned on in order to work. Since PHP 4.2.0, the default for register_globals is off. To fix it, simply add the following line to your php.ini file Is this not *wrong*. It sounds to me like fake laziness. Nothing drives me bonkers more than trying to track down a variable that is inherited from who knows where. If you initialize all your local variables, there is nothing wrong with having register_globals on. Well-written apps run quite nicely and securely with them on. The reason to turn them off is to protect yourself from crappy code. -Rasmus -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] register_globals flag in some directories
Ahmed. If you changed the AllowOverride setting in httpd.conf, you will need to restart apache. I tried what I suggested here (on a RedHat 7.3 system) so I know its OK. In httpd.conf there can be many instances of AllowOverride, one per directory. Are you sure you changed the right one? Just a thought. Regards Chris Ahmed Farouk wrote: Chris, Thanks for your response, but I already tried that but still not working! is there anything I should do let apache recognize that there is .htaccess ? permissions for example - Original Message - From: Chris Hewitt [EMAIL PROTECTED] To: Ahmed Abdalla [EMAIL PROTECTED] Sent: Tuesday, June 11, 2002 9:06 PM Subject: Re: [PHP] register_globals flag in some directories Ahmed, The /etc/httpd/conf/httpd.conf file might not allow .htaccess to override the setting. I've just tried this here and if I have AllowOverride All then I can change register_globals in a .htaccess file exactly as you have specified. If I have AllowOverride None then I can't. I don't know which override allowance is needed for php. I haven't found it in the manual (but then I might not have looked hard enough). Hope this helps. Chris Ahmed Abdalla wrote: I am sorry if this is asked before, but I have apache 2.0.36 with php 4.2.1 in the php.ini file register_globals is set off, but i want to turn it on in some directories I tried to create .htaccess file in that directory and put in it php_flag register_globals on but its not working, so did i do anything wrong or should I do anything else ? Thanks for your help -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] register_globals in php4
-Original Message- From: Kevin Stone [mailto:[EMAIL PROTECTED]] Sent: 09 May 2002 23:09 Hmm. No offense ..., but I don't believe turning Registered Globals off will have any effect on security. Turning Registered Globals off just provides a more strict environment for coding. Example.. If the url were http://www.dom.com/index.php?password=xuUaB67sf ? if (isset($_GET['password'])) // Registered globals off. { $password = $_GET['password']; echo $password; } ? .. is no more or less secure than.. ? if (isset($password)) // Registered globals on. { echo $password; } ? No, but this: if (isset($password)): // register_globals on $super_user = $password==$super_password; endif; if ($super_user): // sensitive admin stuff endif; is more secure than: if (isset($_GET['password'])): // register_globals off $super_user = $_GET['password']==$super_password; endif; if ($super_user): // sensitive admin stuff endif; (OK, you or I wouldn't code like that, but a Web hoster may want the reassurance of being able to protect naive customers from this kind of mistake.) Also, by using the $_POST, $_GET arrays, you know exactly where the input is coming from (even if register_globals is also on!). If you have register_globals set to on, and you just look to see if (say) $password has a value, which you're expecting to come from a form field, you can't actually tell whether it's been overridden by some smarty-pants typing in the URL with ?password=super_password on the end. If you check specifically for $_POST['password'], you at least have the assurance that it's come from a form field as you were expecting. Granted, register_globals and using the $_* arrays is not the complete solution, but it does add a small extra layer of assurance. Cheers! Mike - Mike Ford, Electronic Information Services Adviser, Learning Support Services, Learning Information Services, JG125, James Graham Building, Leeds Metropolitan University, Beckett Park, LEEDS, LS6 3QS, United Kingdom Email: [EMAIL PROTECTED] Tel: +44 113 283 2600 extn 4730 Fax: +44 113 283 3211 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] register_globals in php4
At 14:16 10/05/2002, Ford, Mike [LSS] wrote: No, but this: if (isset($password)): // register_globals on $super_user = $password==$super_password; endif; if ($super_user): // sensitive admin stuff endif; is more secure than: if (isset($_GET['password'])): // register_globals off $super_user = $_GET['password']==$super_password; endif; if ($super_user): // sensitive admin stuff endif; You meant it the other way around, didn't you? :) Also, by using the $_POST, $_GET arrays, you know exactly where the input is coming from (even if register_globals is also on!). If you have register_globals set to on, and you just look to see if (say) $password has a value, which you're expecting to come from a form field, you can't actually tell whether it's been overridden by some smarty-pants typing in the URL with ?password=super_password on the end. If you check specifically for $_POST['password'], you at least have the assurance that it's come from a form field as you were expecting. There's a bit of a misperception about the security that register_globals=off buys you. Basically, anything coming from the user cannot be trusted, and that includes post variables in $_POST[] (I could write my own form and send whatever variables I want to your form handler). So, generally, anything in $_GET, $_POST and $_COOKIE (or $_REQUEST, in general) cannot be trusted, and should be treated as 'possibly hostile'. The new $_ENV variable, however, can be trusted, as it cannot be poisoned by the remote user, and also, most of the information in $_SERVER can be trusted, because it's coming from the web server. What does register_globals buy you? Two simple things: (a) A clean global scope, which cannot be poisoned by the remote user, as your example illustrated (only backwards). (b) Reliable $_ENV and $_SERVER arrays, and the knowledge that they cannot be poisoned by get/post/cookie data coming from the user. Zeev -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] register_globals in php4
-Original Message- From: Zeev Suraski [mailto:[EMAIL PROTECTED]] Sent: 10 May 2002 12:36 You meant it the other way around, didn't you? :) Er, yes! ;) (I cut-and-pasted one example to create the other, and then changed the wrong on to off!!) Cheers! Mike - Mike Ford, Electronic Information Services Adviser, Learning Support Services, Learning Information Services, JG125, James Graham Building, Leeds Metropolitan University, Beckett Park, LEEDS, LS6 3QS, United Kingdom Email: [EMAIL PROTECTED] Tel: +44 113 283 2600 extn 4730 Fax: +44 113 283 3211 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] register_globals in php4
-Original Message- From: Ford, Mike [LSS] [mailto:[EMAIL PROTECTED]] Sent: 10 May 2002 12:54 To: 'Zeev Suraski' Cc: [EMAIL PROTECTED] Subject: RE: [PHP] register_globals in php4 -Original Message- From: Zeev Suraski [mailto:[EMAIL PROTECTED]] Sent: 10 May 2002 12:36 You meant it the other way around, didn't you? :) Er, yes! ;) (I cut-and-pasted one example to create the other, and then changed the wrong on to off!!) Oh, no! That's not what you meant! (It must be Friday afternoon!! :) I should have said less secure rather than more secure. Am I right this time? Damn. (It must be Friday afternoon!! :) Cheers! Mike - Mike Ford, Electronic Information Services Adviser, Learning Support Services, Learning Information Services, JG125, James Graham Building, Leeds Metropolitan University, Beckett Park, LEEDS, LS6 3QS, United Kingdom Email: [EMAIL PROTECTED] Tel: +44 113 283 2600 extn 4730 Fax: +44 113 283 3211 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] register_globals in php4
At 15:13 10/05/2002, Ford, Mike [LSS] wrote: I should have said less secure rather than more secure. Am I right this time? Yep :) Zeev -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] register_globals in php4
On Fri, 10 May 2002, Ford, Mike [LSS] wrote: Also, by using the $_POST, $_GET arrays, you know exactly where the input is coming from (even if register_globals is also on!). If you have register_globals set to on, and you just look to see if (say) $password has a value, which you're expecting to come from a form field, you can't actually tell whether it's been overridden by some smarty-pants typing in the URL with ?password=super_password on the end. If you check specifically for $_POST['password'], you at least have the assurance that it's come from a form field as you were expecting. This is a very false sense of security. Anyone with cURL (or even telnet) can trivially fake any POST or cookie inputs they want to. miguel -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] register_globals in php4
Mike, Both of your bit of code are not equal. On my ISP in 4.0.6 isset returned false if the variable was not existing OR empty in 4.2 isset returns true if the variable exists but is empty, so you may want to check with empty instead of isset Luc At 12:16 10/05/2002 +0100, Ford, Mike [LSS] wrote: -Original Message- if (isset($password)): // register_globals on $super_user = $password==$super_password; endif; if ($super_user): // sensitive admin stuff endif; is more secure than: if (isset($_GET['password'])): // register_globals off $super_user = $_GET['password']==$super_password; endif; if ($super_user): // sensitive admin stuff endif; -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] register_globals in php4
On Fri, 10 May 2002, Patrick Hsieh wrote: php4.1 recommends to set register_globals=off in php.ini to make php more strict. My question is, if I turn off register_globals, what will happen if any malicious user just try to modify the variable values in the url? Say, http://www.domain.com/xxx.php?id=3sex=female Does it work if user just change the value in the URL directly and send the url directly to web server? How can we avoid the malicious attack by directly http GET/POST with modified parameter values to make possible system error or compromise? If register_globals is off, then you'll get $_GET['id'] = 3 and $_GET['sex'] = female. It's then up to you to make sure those are okay. But at least $id and $sex won't get set until you explicitly set them in your code. miguel -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] register_globals in php4
- Original Message - From: Patrick Hsieh [EMAIL PROTECTED] Hello list, php4.1 recommends to set register_globals=off in php.ini to make php more strict. My question is, if I turn off register_globals, what will happen if any malicious user just try to modify the variable values in the url? Say, The variables will get passed just like normal. You have no way of telling if the values actually came from a form or if the user manipulated the data. This goes for GET, POST, and COOKIE data. How can we avoid the malicious attack by directly http GET/POST with modified parameter values to make possible system error or compromise? You can't stop it. The user can send anything to your site. It's up to you to validate the data and make sure it's what it's supposed to be. At least with register_globals = off, when you use $_GET[var], you know it's coming from the URL (or a GET form). Same thing with _POST, _SESSION, and _COOKIE, etc. You know where the data should be coming from. You still have to validate it. W/o register globals, you just use $var and have no idea where it's coming from. You may think it's coming from a posted form, but the user actually passed it in the url. Or, you use $var2, not expecting it to come from the user at all, but the user passes it in the URL and it overwrites $var2. register_globals isn't always bad. It just allows for more errors and holes with it on if you're not careful. ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] register_globals in php4
- Original Message - From: Miguel Cruz [EMAIL PROTECTED] To: Patrick Hsieh [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Thursday, May 09, 2002 11:52 AM Subject: Re: [PHP] register_globals in php4 On Fri, 10 May 2002, Patrick Hsieh wrote: php4.1 recommends to set register_globals=off in php.ini to make php more strict. My question is, if I turn off register_globals, what will happen if any malicious user just try to modify the variable values in the url? Say, http://www.domain.com/xxx.php?id=3sex=female Does it work if user just change the value in the URL directly and send the url directly to web server? How can we avoid the malicious attack by directly http GET/POST with modified parameter values to make possible system error or compromise? If register_globals is off, then you'll get $_GET['id'] = 3 and $_GET['sex'] = female. It's then up to you to make sure those are okay. But at least $id and $sex won't get set until you explicitly set them in your code. miguel -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Hmm. No offense Miguel, but I don't believe turning Registered Globals off will have any effect on security. Turning Registered Globals off just provides a more strict environment for coding. Example.. If the url were http://www.dom.com/index.php?password=xuUaB67sf ? if (isset($_GET['password'])) // Registered globals off. { $password = $_GET['password']; echo $password; } ? .. is no more or less secure than.. ? if (isset($password)) // Registered globals on. { echo $password; } ? How can we avoid the malicious attack by directly http GET/POST with modified parameter values to make possible system error or compromise? Security in this regard has everything to do with ensuring that the input you're recieving is what you expect. Some good tips would be to define maximum string lengths, check for legal variable types, and look for invalid characters. If something doesn't look right then you simply don't allow the request to proceed. Example.. ? function validate($str) { $max_len = 15; $str_len = strlen($str); if ($str_len $max_len) return FALSE; elseif (gettype($str) != string) return FALSE; elseif (eregi(/whatever you think might be invalid/, $str)); return FALSE; else return TRUE; } if (validate($password)) { echo $password; } else { echo INVALID INPUT; exit; } ? Generally speaking this will be more than adequate. But if you want to get serious then you can record a timestamp and IP/domain for every transaction on your website then auto-block any user spamming your system. For example, if someone is trying out passwords over and over again, after 3 consecutive tries your system could block the transaction and print out a warning. After 3 batches of 3 consecutive tries the system could block the user and email you a notice. But becuase this user information can be faked the most sophisticated systems.. the ones that corporations install behind their firewalls and cost $20,000 for the installation alone, actually record and analyze patterns of behavior using neural net software. -Kevin -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] register_globals in php4
On Thu, 9 May 2002, Kevin Stone wrote: If register_globals is off, then you'll get $_GET['id'] = 3 and $_GET['sex'] = female. It's then up to you to make sure those are okay. But at least $id and $sex won't get set until you explicitly set them in your code. Hmm. No offense Miguel, but I don't believe turning Registered Globals off will have any effect on security. If all programmers were perfect, very few security mechanisms would be necessary. But they aren't, so things like this just make it a little bit easier to create secure software. miguel -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] register_globals=Off Question
You are missing an ending quote to begin with. Either add it in and use braces, or remove the quotes. action = '?=$_SERVER[PHP_SELF]?' or... action = '? echo $_SERVER[PHP_SELF]; ?' or... action = '? echo {$_SERVER['PHP_SELF']}; ?' Adapt to your needs... ---John Holmes... -Original Message- From: Kirk Babb [mailto:[EMAIL PROTECTED]] Sent: Sunday, April 28, 2002 3:58 PM To: [EMAIL PROTECTED] Subject: [PHP] register_globals=Off Question How do I use $PHP_SELF with register_globals off? I looked up the documentation on php.net but haven't gotten this line of code to work: form name=form5 method=post action='?php echo($_SERVER[PHP_SELF]; ?' I get this error instead: [28-Apr-2002 16:33:31] PHP Parse error: parse error, expecting `T_STRING' or `T_VARIABLE' or `T_NUM_STRING' in - on line 140 what am I doing wrong? thanks, Kirk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] register_globals=Off Question
On Sun, 28 Apr 2002, Kirk Babb wrote: How do I use $PHP_SELF with register_globals off? I looked up the documentation on php.net but haven't gotten this line of code to work: form name=form5 method=post action='?php echo($_SERVER[PHP_SELF]; ?' action='?= $_SERVER['PHP_SELF'] ?' miguel -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] register_globals=Off Question
Looks like you forgot your ticks ' around the PHP_SELF. If I am correct, it should be $_SERVER['PHP_SELF']. Either way, you might want to try this. Somebody else posted it before and I have been using it so that no matter what version of PHP my program runs on, it should work. if (isset($_SERVER)) $PHP_SELF = $_SERVER['PHP_SELF']; Steve At 05:58 PM 4/28/2002, Kirk Babb wrote: How do I use $PHP_SELF with register_globals off? I looked up the documentation on php.net but haven't gotten this line of code to work: form name=form5 method=post action='?php echo($_SERVER[PHP_SELF]; ?' I get this error instead: [28-Apr-2002 16:33:31] PHP Parse error: parse error, expecting `T_STRING' or `T_VARIABLE' or `T_NUM_STRING' in - on line 140 what am I doing wrong? thanks, Kirk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] register_globals
On Sunday, March 31, 2002, at 04:05 AM, Liam wrote: at the moment I have register_globals set to on Is there any reason I should turn it off? What are the security risks of having them on? I once asked this exact question, and here is the response I got -- I found it very helpful: Give this a read first, then come back if you still have questions ;) http://www.securereality.com.au/studyinscarlet.txt Kirk Erik Erik Price Web Developer Temp Media Lab, H.H. Brown [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] register_globals
You would be better off reading the security chapter in the PHP documentation. It is much better informed than that study-in-scarlet thing. On Mon, 1 Apr 2002, Erik Price wrote: On Sunday, March 31, 2002, at 04:05 AM, Liam wrote: at the moment I have register_globals set to on Is there any reason I should turn it off? What are the security risks of having them on? I once asked this exact question, and here is the response I got -- I found it very helpful: Give this a read first, then come back if you still have questions ;) http://www.securereality.com.au/studyinscarlet.txt Kirk Erik Erik Price Web Developer Temp Media Lab, H.H. Brown [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] register_globals
On Sunday 31 March 2002 17:05, Liam wrote: 31/03/2002 9:05:53 AM Hi all, I'm running a webhosting service and I'm looking at security issues. at the moment I have register_globals set to on Is there any reason I should turn it off? What are the security risks of having them on? Manual Security -- Jason Wong - Gremlins Associates - www.gremlins.com.hk /* The more they over-think the plumbing the easier it is to stop up the drain. */ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] register_globals and E_ALL error reporting
-Original Message- From: Richard Ellerbrock [mailto:[EMAIL PROTECTED]] Sent: 13 March 2002 14:25 The following code generates a warning when register_globals=off and error reporting is set to E_ALL. How do I define the constant in another way not to generate a warning? This is with php 4.1.1. I use defines extensively throughout my code and it is making my debugging difficult through the transition to register_global=off code. ?php define(DBF_HOST, localhost); echo DBF_HOST; ? Warning: Use of undefined constant DBF_HOST - assumed 'DBF_HOST' in var/www/html/iptrackdev/test.php on line 3 localhost That has nothing to do with register_globals! You're getting the error because you have error_reporting set to E_ALL. The error is that both arguments to define should be strings, thus: define('DBF_HOST', 'localhost'); The way you have it, the naked DBF_HOST looks like a reference to a constant, but when PHP looks it up it can't find it because it hasn't been defined yet because the define contains a reference to the constant DBF_HOST which hasn't been defined yet so when PHP looks it up it can't find it because... oh, well, you get the idea! Cheers! Mike - Mike Ford, Electronic Information Services Adviser, Learning Support Services, Learning Information Services, JG125, James Graham Building, Leeds Metropolitan University, Beckett Park, LEEDS, LS6 3QS, United Kingdom Email: [EMAIL PROTECTED] Tel: +44 113 283 2600 extn 4730 Fax: +44 113 283 3211 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] register_globals not turning off
what command? if you're using ini_set you can't. in this case it'll set the local value but it's of no consequence, register_globals has already done its thing before getting to the script. use of .htaccess is possible. regards, Philip Olson On Thu, 13 Dec 2001, Charlie Killian wrote: I turn register_globals off using this command: but my get variables are still accessible as variables. Any ideas. phpinfo() says: register_argc_argv Off register_globals Off PHP Version 4.0.6 Charlie -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] register_globals odd behaviour?
I just come across and odd behaviour with the register_globals and session handling. The problem is that when I set the register globals to on I cannot access the session_variables through the associative array HTTP_SESSION_VARS. The manual says explicitly that with track_vars and register_globals both on the array and the vars will point to the same. I believe this was a bug in all versions prior to 4.0.6, globals and $HTTP_SESSION_VARS did *not* reference the same value while on the current page, in spite of what the manual says. So, either upgrade to 4.0.6, or use the global version of session variables rather than the $HTTP_SESSION_VARS array. Kirk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] register_globals on or off?
Could someone explain what the following passage in php.ini means: You should do your best to write your scripts so that they do not require ; register_globals to be on; Using form variables as globals can easily lead ; to possible security problems, if the code is not very well thought of. If register_globals is off, does that mean you cannot access form variables by just referring to their name? Correct And, if that is so, how do you pass information from forms to your action script? They will be in the $HTTP_POST_VARS array. However, as long as you watch what you are doing, leaving register_globals on is fine. Don't use undefined variables and never pass stuff directly to any system() or file operation functions without carefully checking your data. Turning off register_globals and simply using $HTTP_POST_VARS everywhere really doesn't help that much in this respect. POST vars are easily spoofed, so don't think that just turning off register_globals will suddenly make your scripts secure. It won't. Never trust user-supplied data. -Rasmus -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] register_globals on or off?
hi [[EMAIL PROTECTED]] wrote: Hi, Could someone explain what the following passage in php.ini means: You should do your best to write your scripts so that they do not require ; register_globals to be on; Using form variables as globals can easily lead ; to possible security problems, if the code is not very well thought of. If register_globals is off, does that mean you cannot access form variables by just referring to their name? And, if that is so, how do you pass information from forms to your action script? If you had register_globals Off *AND* track_vars On, you could change: from: $frmCompanyName to: $HTTP_GET_VARS["frmCompanyName"] or $HTTP_POST_VARS["frmCompanyName"] depending on your action method. HTH. -- Hardy Merrill Mission Critical Linux, Inc. http://www.missioncriticallinux.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] register_globals PHP_SELF
Steve Haemelinck wrote: Does the PHP_SELF variable only work if you have your register_globals on? Probably. Is their an another for still using it ? $putitinhere = getenv("PHP_SELF"); might work. Or, if track_vars is ON (default since PHP 4.03 I think), you might find it in $HTTP_SERVER_VARS["PHP_SELF"]. These are just guesses, though. regards Wagner -- Assumption is the mother of all fuck-ups. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]