On Wed, Nov 25, 2009 at 3:01 PM, Allen McCabe allenmcc...@gmail.com wrote:
*Warning*: Unknown: Your script possibly relies on a session side-effect
which existed until PHP 4.2.3. Please be advised that the session extension
does not consider global variables as a source of data, unless
Are you running PHP as a Module or as CGI or FCGI?
Look at phpinfo() output to be SURE.
If it's not running as a Module, none of those directives are defined,
because Apache (which implements .htaccess) has no friggin' idea what
php_value or php_flag is without PHP Module there to tell it.
On
On 6/7/07, Afan Pasalic [EMAIL PROTECTED] wrote:
hi,
this question is already posted thousand times. but, after I tried for 2
hours to figure it out, I gave up and posted the question here.
I'm rebuilding one site. php 4.4.4
as usual, register_globals on, as well as magic_quotes.
I tried to turn
Tijnema wrote:
On 6/7/07, Afan Pasalic [EMAIL PROTECTED] wrote:
hi,
this question is already posted thousand times. but, after I tried for 2
hours to figure it out, I gave up and posted the question here.
I'm rebuilding one site. php 4.4.4
as usual, register_globals on, as well as
Hi Jeff,
You want to leave register_globals OFF. Depending on how $charid is passed,
you want to use $_POST or $_GET:
$charid = $_POST['charid'];
or
$charid = $_GET['charid'];
I think you'll need to do the same for your $db_select variable. Is that what
you're after?
Regards,
Bruce
Firstly, welcome to PHP. :-)
Secondly, that's not how you would enable register_globals if they're not
enabled.
Thirdly, you do not want to turn on register_globals. register globals are a
security risk. They're disabled by default on any recent (within the past 5
years) version of PHP,
Hello,
Sunday, April 4, 2004, 1:17:53 AM, you wrote:
n Why i cann't change register_globals value with ini_set()?
Because it's a system level configuration value - you cannot change it
in your scripts.
register_globals supports PHP_INI_PERDIR and PHP_INI_SYSTEM - meaning
it can only be
[snip]
I have a webpage that needs to use some specific php.ini settings
different from other php applications on my web server. I have created a
.htaccess file with the following content:
php_flag register_globals 1
php_flag error_reporting E_ALL ~E_NOTICE
It works fine, but only on Mozilla
Jay Blanchard wrote:
[snip]
I have a webpage that needs to use some specific php.ini settings
different from other php applications on my web server. I have created a
.htaccess file with the following content:
php_flag register_globals 1
php_flag error_reporting E_ALL ~E_NOTICE
It works
[snip]
Put a page in that directory called test.php with only
?php
phpinfo();
?
It doesn't work at all if I put AddType application/x-httpd-php .php
[/snip]
Did you try the test.php above?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
The only problem I see with that is that you're using the constants E_ALL
and E_NOTICE in the .htaccess file. You can't use constants there, you need
to use the actual number. (2047 ~8) == 2039:
php_flag register_globals 1
php_flag error_reporting 2039
Chris
-Original Message-
From:
: RE: [PHP] register_globals problem
The only problem I see with that is that you're using the constants E_ALL
and E_NOTICE in the .htaccess file. You can't use constants there, you need
to use the actual number. (2047 ~8) == 2039:
php_flag register_globals 1
php_flag error_reporting 2039
Chris
Jay Blanchard wrote:
[snip]
Put a page in that directory called test.php with only
?php
phpinfo();
?
It doesn't work at all if I put AddType application/x-httpd-php .php
[/snip]
Did you try the test.php above?
Yes, I have. Doesn't work.
--
PHP General Mailing List
[snip]
Did you try the test.php above?
Yes, I have. Doesn't work.
[/snip]
Then your httpd.conf in not configured properly. It would appear to me
that PHP is not working at all. I went to the URL inquestion and did not
find this test page, so it will be hard for me to help you. Does PHP
work
]
Subject: RE: [PHP] register_globals problem
The only problem I see with that is that you're using the constants E_ALL
and E_NOTICE in the .htaccess file. You can't use constants there, you need
to use the actual number. (2047 ~8) == 2039:
php_flag register_globals 1
php_flag error_reporting 2039
[snip]
It doesn't work. After all a script that contains only phpinfo()
(e-technics.com/dorna/info.php) works OK, but the webpage, which is a
PhpNuke doesn't work.
[/snip]
Actually info.php works in IE and reports register_global is ON locally
(within that directory). Therefore, as I stated
Jay Blanchard wrote:
[snip]
It doesn't work. After all a script that contains only phpinfo()
(e-technics.com/dorna/info.php) works OK, but the webpage, which is a
PhpNuke doesn't work.
[/snip]
Actually info.php works in IE and reports register_global is ON locally
(within that directory).
[snip]
If I create an PHP environment such that I don't need to override
register_globals and error_reporting with a .htaccess file it works just
fine, so I guess the problem is in the .htaccess file. I posted my
httpd.conf file at http://e-technics.com/dorna/httpd.conf.
If I comment the lines
Jay Blanchard wrote:
[snip]
If I create an PHP environment such that I don't need to override
register_globals and error_reporting with a .htaccess file it works just
fine, so I guess the problem is in the .htaccess file. I posted my
httpd.conf file at http://e-technics.com/dorna/httpd.conf.
If
[snip]
Actually, according to the info.php page for that directory
register_globals is ON as you desire...correct?
Correct, the .htaccess file overides just fine register_globals and
error_reporting but somehow Internet Explorer and Konqueror does not
load the page.
[/snip]
But IE and
Jay Blanchard wrote:
[snip]
Actually, according to the info.php page for that directory
register_globals is ON as you desire...correct?
Correct, the .htaccess file overides just fine register_globals and
error_reporting but somehow Internet Explorer and Konqueror does not
load the page.
[snip]
But IE and Konqueror both load the info.php correctly from my end. It
is
the index.php for Nukemods.com that gets hosed in those browsers.
So you're saying that index.php is broken? Then why it gets loaded fine
if I delete the .htaccess file?
[/snip]
That is exactly what I am saying.
Jay Blanchard wrote:
[snip]
But IE and Konqueror both load the info.php correctly from my end. It
is
the index.php for Nukemods.com that gets hosed in those browsers.
So you're saying that index.php is broken? Then why it gets loaded fine
if I delete the .htaccess file?
[/snip]
That is
Hi Fernando,
I have a PHP application that passes variables (values) from a form.
I get these using $_POST
However I do also post some variables via a link. Which ofcourse requires
register_globals to be ON.
Do you mean variables in a URL, like this:
www.example.com/index.php?foo=1bar=2
Thanks.
I don't see how this makes it more secure though?
The values are still picked up the same way from a URL
-Original Message-
From: Jon Haworth [mailto:[EMAIL PROTECTED]
Sent: 13 November 2003 13:28
To: [EMAIL PROTECTED]
Subject: Re: [PHP] register_globals security
Hi Fernando
On Thu, Nov 13, 2003 at 01:55:08PM +0200, Fernando Melo wrote:
: Jon Haworth responded:
: : Fernando Melo wrote:
: :
: : I have a PHP application that passes variables (values) from a form.
: : I get these using $_POST
: :
: : However I do also post some variables via a link. Which ofcourse
picked up the same way from a URL
-Original Message-
From: Jon Haworth [mailto:[EMAIL PROTECTED]
Sent: 13 November 2003 13:28
To: [EMAIL PROTECTED]
Subject: Re: [PHP] register_globals security
Hi Fernando,
I have a PHP application that passes variables (values) from a form.
I get
Yup I still don't see how it improves anything with regards to security.
-Original Message-
From: Raditha Dissanayake [mailto:[EMAIL PROTECTED]
Sent: 13 November 2003 15:24
To: [EMAIL PROTECTED]
Subject: Re: [PHP] register_globals security
Hi,
There is also a $_REQUEST variable
[snip]
There is also a $_REQUEST variable.
At the risk of starting another flame war: IMHO switching off register
globals and relying on $_POST etc can lull you into a false sense of
security.
[/snip]
***applause***
Bottom-lineas I just said in another threadinitialize your
variables
with regards to security.
-Original Message-
From: Raditha Dissanayake [mailto:[EMAIL PROTECTED]
Sent: 13 November 2003 15:24
To: [EMAIL PROTECTED]
Subject: Re: [PHP] register_globals security
Hi,
There is also a $_REQUEST variable.
At the risk of starting another flame war: IMHO switching off
--- Fernando Melo [EMAIL PROTECTED] wrote:
I have a PHP application that passes variables (values) from a form.
I get these using $_POST
However I do also post some variables via a link. Which ofcourse
requires register_globals to be ON.
This is a common problem I see on this list. When
--- Raditha Dissanayake [EMAIL PROTECTED] wrote:
At the risk of starting another flame war: IMHO switching off register
globals and relying on $_POST etc can lull you into a false sense of
security.
I agree, and this is more true with the safe_mode directive, which I have
always thought was
Shiflett [mailto:[EMAIL PROTECTED]
Sent: 13 November 2003 17:07
To: Fernando Melo; '[EMAIL PROTECTED]'
Subject: Re: [PHP] register_globals security
--- Fernando Melo [EMAIL PROTECTED] wrote:
I have a PHP application that passes variables (values) from a form.
I get these using $_POST
However I do
--- Fernando Melo [EMAIL PROTECTED] wrote:
I was not making an assumption. I was stating a fact.
I get these using $_POST
I did NOT state that register_globals needs to be on to do what I'm
doing.
If you're going to make false claims about what you previously said, you
might want to snip
[snip]
With the function phpinfo I have see that the Master Value is Off and
the=
Load Value is On but the site don't running successfully.
With suse8.1 with php4.2.2 I have nothing problem.
Any idea ?
[/snip]
Does the site rely on files outside of that directory? Do you 'allow
overrides' for
--- [EMAIL PROTECTED] wrote:
In the php.ini I have set the registr_globals=3D Off
I'm assuming that 3D was put in there by some faulty mail client? Also, make
sure you spell it register_globals.
php_flag register_globals on for only this site.
With the function phpinfo I have see that the
--- [EMAIL PROTECTED] wrote:
The problem concern:
The correct site is: www.gardafun.com with apache.1.3.27 and
php-4.0.6 with register_globals = On
The new webserver is 213.21.138.119 with suse8.2 apache1.3.27 and
php-4.3.3 with register_globals=off in the php.ini and in the
.htaccess
Please include the list in all of your replies. I skim message subjects and
don't read all messages. If you reply only to me, there's a good chance it will
not be read, and no one else will have a chance to answer your question.
--- [EMAIL PROTECTED] wrote:
As i know, if register_globals is
I don't know much about this, but could it have been cached?
Cristian
Damon Kohler wrote:
Well, it does turn off. At least phpinfo() says that it's off.
However, PHP is acting as though it's still turned on. The
source
code for the page I'm using to test this odd result is:
html
head
No, it's not cached. I can type in anything to the input and it'll show up.
As in, if I type test into the form, it prints test. Then if I type hello
world it'll print hello world. So I'm pretty sure caching isn't the
problem.
Damon
Cristian Lavaque [EMAIL PROTECTED] wrote in message
Are you using third party code that might be doing the export to global
space itself?
Rob.
On Sat, 2003-09-27 at 22:21, Damon Kohler wrote:
No, it's not cached. I can type in anything to the input and it'll show up.
As in, if I type test into the form, it prints test. Then if I type hello
I don't think so... You have something particular in mind? You can check out
the page itself at http://my.innermetrix.cc/test.php
Damon
Robert Cummings [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
Are you using third party code that might be doing the export to global
space
On Sat, 27 Sep 2003 20:05:10 -0400
Damon Kohler [EMAIL PROTECTED] wrote:
Well, it does turn off. At least phpinfo() says that it's off.
However, PHP is acting as though it's still turned on. The source
code for the page I'm using to test this odd result is:
snip
I'm running PHP 4.3.3 on
Rather than turning on register globals system wide I'd use .htaccess to
enable register globals for the specific sites or applications that
require them. Because the super globals have been introduced the
problem with register globals and application security may be more
prounounced for
Deependra b. Tandukar wrote:
Hi,
I have configured PHP 4.3.3 in which register_gloabals is set to be off.
I modified etc/php.ini and set it to be On but still it shows it is off
and some developed applications in php are asking for it to be turned
on. How do I do this?
Did you restart the web
Try restarting your apache.
-murugesan
- Original Message -
From: Deependra b. Tandukar [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, September 03, 2003 10:09 AM
Subject: [PHP] register_globals
Hi,
I have configured PHP 4.3.3 in which register_gloabals is set to be off. I
Hi,
I think you want to use:
php_value register_globals Off
I have this setup in VirtualHost's and in .htaccess files. The
difference between php_value and php_admin_value is that php_admin_value
can not be overridden in a .htaccess file or VirtualHost. So if you want
to enforce some settings
I found a class that allows you to have a multiple page listing, where
it displays a certain number of items, and then you click on the next
page to show the next results. I found that it needs to have
register_globals turned on. I am learning, and would like to have
someone look at the class
Well, I know it has something to do with register_globals, because it
only starts working when I turn register_globals on. If it is off, the
script doesn't work.
Here is the php file that calls to the class. It doesn't seem to have
anything that is global, but as I said before, I am not very
I'm thinking of running a shopping cart package (osCommerce)
that requires
register_globals to be enabled. With all the warnings about
security with
register_globals enabled I'm worried.
How dangerous is it?
The key defensive step is to initialize all of your session variables at the
Sam,
The register_globals can be dangerous to turn on but it really depends
on the quality of code that the shopping cart was written. See
Examples below for explanation.
Say you had a script that looked like this.
?PHP
$Q = Select * from Stored CreditCards where User='$User';
.
yeh, I'd strongly agree with Jonathan's view that quality of the code can
mitigate against the dangers of register_globals.
FYI, an interesting article on php vulnerabilities is at:
http://www.securereality.com.au/studyinscarlet.txt
David Eisenhart
Jonathan Pitcher [EMAIL PROTECTED] wrote in
three solutions:
1. turn register_globals off for compatibility purposes via .htaccess
file in the script's directory
2. create a auto_prepend file with the following: extract($_GET), this
should do the trick
3. rewrite the whole code to make any user-input (form) variable to be
$_REQUEST or
on 29/01/03 6:41 AM, Kiswa ([EMAIL PROTECTED]) wrote:
change If($id==1){ to If($_GET['id']==1){
or put this line near the top of your script:
$id = $_GET['id'];
or, a little more anal:
if(isset($_GET['id'])) { $id = $_GET['id']; }
Justin
font size=2a href=left.php?id=1
try using pear...
On Sat, 2002-11-16 at 22:53, Leif K-Brooks wrote:
I'm looking for a good class for forms that will work with
register_globals off. I was planning to modify Manuel Lemos's class,
but it turned out to be too big of a task. Any ideas?
--
The above message is encrypted
On Wednesday 13 November 2002 23:57, Leif K-Brooks wrote:
I am planning to use Manuel Lemos's form class for a web site I am
working on. However, I need to have register_globals set to off. I was
planning to rewrite the portions of the class that access submitted form
values directly to use
Even if the method is post, you can have get variables, if the form has
action=script.php?get_var=value
Jason Wong wrote:
On Wednesday 13 November 2002 23:57, Leif K-Brooks wrote:
I am planning to use Manuel Lemos's form class for a web site I am
working on. However, I need to have
On Thursday 14 November 2002 03:41, Marek Kilimajer wrote:
Even if the method is post, you can have get variables, if the form has
action=script.php?get_var=value
Yes but I don't (need to) define my forms like that so I don't really care :-)
--
Jason Wong - Gremlins Associates -
At 21:05 12.11.2002, Mark Spohr said:
[snip]
I'm trying to convert this to use $_POST() as such:
if ($_POST['form'] == yes)
{
unset($_POST['form']);
}
However, this does not work. It appears that you can't unset the
$_POST['form'] array element.
I'm working on a site where I'm using geeklog
http://geeklog.sourceforge.net/
It has the requirement that
Geeklog needs the register_globals variable turned on in order to work.
Since PHP 4.2.0, the default for register_globals is off. To fix it,
simply add the following line to your
PROTECTED]
To: Ahmed Abdalla [EMAIL PROTECTED]
Sent: Tuesday, June 11, 2002 9:06 PM
Subject: Re: [PHP] register_globals flag in some directories
Ahmed,
The /etc/httpd/conf/httpd.conf file might not allow .htaccess to
override the setting. I've just tried this here and if I have
AllowOverride All then I
-Original Message-
From: Kevin Stone [mailto:[EMAIL PROTECTED]]
Sent: 09 May 2002 23:09
Hmm. No offense ..., but I don't believe turning
Registered Globals off
will have any effect on security. Turning Registered Globals off just
provides a more strict environment for coding.
At 14:16 10/05/2002, Ford, Mike [LSS] wrote:
No, but this:
if (isset($password)): // register_globals on
$super_user = $password==$super_password;
endif;
if ($super_user):
// sensitive admin stuff
endif;
is more secure than:
if
-Original Message-
From: Zeev Suraski [mailto:[EMAIL PROTECTED]]
Sent: 10 May 2002 12:36
You meant it the other way around, didn't you? :)
Er, yes! ;)
(I cut-and-pasted one example to create the other, and then changed the wrong on to
off!!)
Cheers!
Mike
-Original Message-
From: Ford, Mike [LSS] [mailto:[EMAIL PROTECTED]]
Sent: 10 May 2002 12:54
To: 'Zeev Suraski'
Cc: [EMAIL PROTECTED]
Subject: RE: [PHP] register_globals in php4
-Original Message-
From: Zeev Suraski [mailto:[EMAIL PROTECTED]]
Sent: 10 May 2002 12:36
At 15:13 10/05/2002, Ford, Mike [LSS] wrote:
I should have said less secure rather than more secure.
Am I right this time?
Yep :)
Zeev
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
On Fri, 10 May 2002, Ford, Mike [LSS] wrote:
Also, by using the $_POST, $_GET arrays, you know exactly where the
input is coming from (even if register_globals is also on!). If you
have register_globals set to on, and you just look to see if (say)
$password has a value, which
Mike,
Both of your bit of code are not equal.
On my ISP in 4.0.6 isset returned false if the variable was not existing OR
empty
in 4.2 isset returns true if the variable exists but is empty, so you may
want to check with empty instead of isset
Luc
At 12:16 10/05/2002 +0100, Ford, Mike
On Fri, 10 May 2002, Patrick Hsieh wrote:
php4.1 recommends to set register_globals=off in php.ini to make php
more strict. My question is, if I turn off register_globals, what will
happen if any malicious user just try to modify the variable values in
the url? Say,
- Original Message -
From: Patrick Hsieh [EMAIL PROTECTED]
Hello list,
php4.1 recommends to set register_globals=off in php.ini to make php
more strict. My question is, if I turn off register_globals, what will
happen if any malicious user just try to modify the variable values in
- Original Message -
From: Miguel Cruz [EMAIL PROTECTED]
To: Patrick Hsieh [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Thursday, May 09, 2002 11:52 AM
Subject: Re: [PHP] register_globals in php4
On Fri, 10 May 2002, Patrick Hsieh wrote:
php4.1 recommends to set register_globals=off
On Thu, 9 May 2002, Kevin Stone wrote:
If register_globals is off, then you'll get $_GET['id'] = 3 and
$_GET['sex'] = female. It's then up to you to make sure those are okay.
But at least $id and $sex won't get set until you explicitly set them in
your code.
Hmm. No offense Miguel, but I
You are missing an ending quote to begin with. Either add it in and use
braces, or remove the quotes.
action = '?=$_SERVER[PHP_SELF]?'
or...
action = '? echo $_SERVER[PHP_SELF]; ?'
or...
action = '? echo {$_SERVER['PHP_SELF']}; ?'
Adapt to your needs...
---John Holmes...
-Original
On Sun, 28 Apr 2002, Kirk Babb wrote:
How do I use $PHP_SELF with register_globals off? I looked up the
documentation on php.net but haven't gotten this line of code to work:
form name=form5 method=post action='?php echo($_SERVER[PHP_SELF];
?'
action='?= $_SERVER['PHP_SELF'] ?'
miguel
Looks like you forgot your ticks ' around the PHP_SELF. If I am correct,
it should be $_SERVER['PHP_SELF'].
Either way, you might want to try this. Somebody else posted it before and
I have been using it so that no matter what version of PHP my program runs
on, it should work.
if
On Sunday, March 31, 2002, at 04:05 AM, Liam wrote:
at the moment I have register_globals set to on
Is there any reason I should turn it off?
What are the security risks of having them on?
I once asked this exact question, and here is the response I got -- I
found it very helpful:
Give
You would be better off reading the security chapter in the PHP
documentation. It is much better informed than that study-in-scarlet
thing.
On Mon, 1 Apr 2002, Erik Price wrote:
On Sunday, March 31, 2002, at 04:05 AM, Liam wrote:
at the moment I have register_globals set to on
Is there
On Sunday 31 March 2002 17:05, Liam wrote:
31/03/2002 9:05:53 AM
Hi all,
I'm running a webhosting service and I'm looking at security issues.
at the moment I have register_globals set to on
Is there any reason I should turn it off?
What are the security risks of having them on?
Manual
-Original Message-
From: Richard Ellerbrock [mailto:[EMAIL PROTECTED]]
Sent: 13 March 2002 14:25
The following code generates a warning when register_globals=off and
error reporting is set to E_ALL. How do I define the constant
in another
way not to generate a warning? This is
what command? if you're using ini_set you can't. in this case it'll set
the local value but it's of no consequence, register_globals has already
done its thing before getting to the script. use of .htaccess is
possible.
regards,
Philip Olson
On Thu, 13 Dec 2001, Charlie Killian wrote:
I
I just come across and odd behaviour with the register_globals and
session handling. The problem is that when I set the register
globals to
on I cannot access the session_variables through the associative array
HTTP_SESSION_VARS. The manual says explicitly that with track_vars and
Could someone explain what the following passage in php.ini means:
You should do your best to write your scripts so that they do not require
; register_globals to be on; Using form variables as globals can easily
lead
; to possible security problems, if the code is not very well thought
hi [[EMAIL PROTECTED]] wrote:
Hi,
Could someone explain what the following passage in php.ini means:
You should do your best to write your scripts so that they do not require
; register_globals to be on; Using form variables as globals can easily
lead
; to possible security problems,
Steve Haemelinck wrote:
Does the PHP_SELF variable only work if you have your
register_globals on?
Probably.
Is their an another for still using it ?
$putitinhere = getenv("PHP_SELF");
might work.
Or, if track_vars is ON (default since PHP 4.03 I think), you might
find it in
84 matches
Mail list logo
