Freelancers Network
 
skill list top cap
Homepage
Join the Freelancer's Network
Update your details
Find a freelancer
Post a project
Find a project
Projects Archive
Post a job
Find a job
Jobs Archive
See Dan's Pages
See Andy's Pages
Link to this site
Resources
Join/Leave Forum
Forum Messages
+Additions+ Adverts
Advertising
Contact Us
Subscribe to our newsletter - enter your email address and hit return
Freelancers.net is owned and operated by Andy Stowell and Dan Winchester
skill list end cap
guru web hostcom

Find me again on Freelancers.net

RE: FN-FORUM: Register globals on or off??

date posted 8th May 2007 21:37

I agree with what Richard says - I would also add that having
register_globals on may (I am not sure what or where) write code which
works, but only because of it being on the basis that it exploits a loophole
in PHP which may later be plugged. A good example was one I found in a
recent Ruby book (different language I know, but same concept), where a
recent bug fix now prevents anyone from using the breakpoint features that
are available for Ruby (and RoR) programmers; these features were only
available because of the bug which has now been fixed!

Alex.

-----Original Message-----
From: [EMAIL REMOVED] [EMAIL REMOVED] On Behalf Of Richard
Fletcher
Sent: 08 May 2007 21:13
To: FN-FORUM / [EMAIL REMOVED]
Subject: Re: FN-FORUM: Register globals on or off??


lee fogarty wrote:
>
> I have recieved a site recently that needs completing. The thing is,
> in the .htaccess file, register globals is forced on.
>
> Surely not a good thing?
>
> The only reason I ask is that I never have register globals on.
> However, this site wasn't done by an amature so I am starting to doubt
> whether my thoughts on site security are entirely accurate.
>

register_globals on can cause security problems for those who don't know
what they are doing. It makes scripts easy to hack when those scripts rely
on global variables, say one called $logged_in or $is_admin.

I have seen code which requires register_globals to be on to use some of the
older session functions that php provides. The code in question was safe
because all the variables and logic were in classes, and thereby immune from
the problem.

There were a few global variables, but they were properly defined.

An exploit would work on code like this:-



Calling this script with something like http://domain/script.php?is_admin=1

would show the problem.

Sticking "$is_admin=false;" as the first line would fix the code.


Regards

Richard

--
Artumi Systems, 58 Salmon Street, Sheffield, S11 8DD.
Tel 0114 250 7654, Web http://www.artumi.com VAT Reg 889 0317 88

--
Freelancers, contractors earn more with Prosperity4 Call 0870 870 4414 or
visit www.prosperity4.com and benefit from Inland Revenue approved expenses
today.

To advertise here: http://www.freelancers.net/advertising.html

Messages by Day
May 31st 2007
May 30th 2007
May 29th 2007
May 28th 2007
May 27th 2007
May 26th 2007
May 25th 2007
May 24th 2007
May 23rd 2007
May 22nd 2007
May 21st 2007
May 20th 2007
May 19th 2007
May 18th 2007
May 17th 2007
May 16th 2007
May 15th 2007
May 14th 2007
May 13th 2007
May 12th 2007
May 11th 2007
May 10th 2007
May 9th 2007
May 8th 2007
May 7th 2007
May 6th 2007
May 5th 2007
May 4th 2007
May 3rd 2007
May 2nd 2007
May 1st 2007


Messages by Month
December 2007
November 2007
October 2007
September 2007
August 2007
July 2007
June 2007
May 2007
April 2007
March 2007
February 2007
January 2007


Messages by Year
2008
2007
2006
2005
2004
2003
2002
2001
2000