Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 5 of 5
  1. #1
    Regular Coder
    Join Date
    Aug 2002
    Location
    Oregon, United States of America
    Posts
    882
    Thanks
    1
    Thanked 9 Times in 9 Posts

    Registered Globals

    I've heard alot of people talk abuot keeping Register_Globals off, but my work with SESSIONS would not work unless i had the admin turn it on. Why should it be off, and why wouldnt SESSIONS work with it off?
    If I'm postin here, I NEED YOUR HELP!!

  • #2
    Supreme Overlord Spookster's Avatar
    Join Date
    May 2002
    Location
    Marion, IA USA
    Posts
    6,273
    Thanks
    4
    Thanked 83 Times in 82 Posts
    It is likely that you were not referring to the sessions in the proper manner. You can use sessions with register globals off.

    PHP Code:

    session_start
    ();
    $_SESSION['myvariable'] = "All Hail Spookster";

    echo 
    $_SESSION['myvariable']; 
    Spookster
    CodingForums Supreme Overlord
    All Hail Spookster

  • #3
    Regular Coder
    Join Date
    Aug 2002
    Location
    Oregon, United States of America
    Posts
    882
    Thanks
    1
    Thanked 9 Times in 9 Posts
    Thats exactly what i do...

    But why do people want Register_Globals off?
    If I'm postin here, I NEED YOUR HELP!!

  • #4
    raf
    raf is offline
    Master Coder
    Join Date
    Jul 2002
    Posts
    6,589
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by Ultragames
    Thats exactly what i do...

    But why do people want Register_Globals off?
    because else, not initialising your variables makes your code insecure.

    The complete story: http://www.php.net/manual/en/security.globals.php
    Posting guidelines I use to see if I will spend time to answer your question : http://www.catb.org/~esr/faqs/smart-questions.html

  • #5
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,978
    Thanks
    4
    Thanked 2,659 Times in 2,628 Posts
    If your register globals isn't off, and you haven't taken the proper means to secure your code, your visitor may send variables that you do not want them to. Lets see, for example...
    PHP Code:
    <?php

    if (isset($allowedaccess))
    {
        echo 
    "Welcome to the Credit Card Management System.  Click here to proceed";

    }
    else
    {
        
    header("Location: home.php");
        exit;
        
    // Return visitor home with no authorizations.
    }
    So, whats so bad? Well, if register globals is on, and you haven't secured what can pass through your script, in order to access your CC Management system (this is an example, hope nobody has really done something like this...), you would need to send your uri as http://yoursite.com/yourscript.php?allowedaccess=1
    Tada, complete control. This is assuming that they know the url and variables required. Sure, there are more simplistic methods around of gathering whats allowed and whats not, but I personally use a global feature with allowed arrays to pass through. The easiest way I can think of to help prevent such attacks if say your register globals are on (which I personally find a lot of servers doing), is to unset whats important. So, at the very beginning the the code snippet, your would have
    <?php
    unset($allowedaccess);
    This way if its sent, its ignored.
    Last edited by Fou-Lu; 10-19-2004 at 11:19 AM.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •