Go Back   CodingForums.com > :: Server side development > PHP
Reload this Page Registered Globals

Before you post, read our: Rules & Posting Guidelines

Reply
 
Thread Tools Rate Thread
Enjoy an ad free experience by logging in. Not a member yet? Register.
Old 10-19-2004, 04:05 AM   PM User | #1
Ultragames
Regular Coder

 
Join Date: Aug 2002
Location: Oregon, United States of America
Posts: 882
Thanks: 1
Thanked 9 Times in 9 Posts
Ultragames has a little shameless behaviour in the past
Registered Globals
I've heard alot of people talk abuot keeping Register_Globals off, but my work with SESSIONS would not work unless i had the admin turn it on. Why should it be off, and why wouldnt SESSIONS work with it off?
__________________
If I'm postin here, I NEED YOUR HELP!!
Ultragames is offline   Reply With Quote
Old 10-19-2004, 05:00 AM   PM User | #2
Spookster
Supreme Overlord


 
Spookster's Avatar
 
Join Date: May 2002
Location: Marion, IA USA
Posts: 6,225
Thanks: 4
Thanked 80 Times in 79 Posts
Spookster will become famous soon enough
It is likely that you were not referring to the sessions in the proper manner. You can use sessions with register globals off.

PHP Code:

session_start();
$_SESSION['myvariable'] = "All Hail Spookster";

echo $_SESSION['myvariable']; 
__________________
Spookster
CodingForums Supreme Overlord
All Hail Spookster
Who gave you that Ugging infraction? Yeah that's right it was me!
Spookster is offline   Reply With Quote
Old 10-19-2004, 06:35 AM   PM User | #3
Ultragames
Regular Coder

 
Join Date: Aug 2002
Location: Oregon, United States of America
Posts: 882
Thanks: 1
Thanked 9 Times in 9 Posts
Ultragames has a little shameless behaviour in the past
Thats exactly what i do...

But why do people want Register_Globals off?
__________________
If I'm postin here, I NEED YOUR HELP!!
Ultragames is offline   Reply With Quote
Old 10-19-2004, 09:15 AM   PM User | #4
raf
Master Coder


 
Join Date: Jul 2002
Posts: 6,589
Thanks: 0
Thanked 0 Times in 0 Posts
raf will become famous soon enoughraf will become famous soon enough
Quote:
Originally Posted by Ultragames
Thats exactly what i do...

But why do people want Register_Globals off?
because else, not initialising your variables makes your code insecure.

The complete story: http://www.php.net/manual/en/security.globals.php
__________________
Posting guidelines I use to see if I will spend time to answer your question : http://www.catb.org/~esr/faqs/smart-questions.html
raf is offline   Reply With Quote
Old 10-19-2004, 11:17 AM   PM User | #5
Fou-Lu
God Emperor


 
Fou-Lu's Avatar
 
Join Date: Sep 2002
Location: Saskatoon, Saskatchewan
Posts: 15,662
Thanks: 4
Thanked 2,452 Times in 2,421 Posts
Fou-Lu is a name known to allFou-Lu is a name known to allFou-Lu is a name known to allFou-Lu is a name known to allFou-Lu is a name known to allFou-Lu is a name known to all
If your register globals isn't off, and you haven't taken the proper means to secure your code, your visitor may send variables that you do not want them to. Lets see, for example...
PHP Code:
<?php

if (isset($allowedaccess))
{
    echo "Welcome to the Credit Card Management System.  Click here to proceed";

}
else
{
    header("Location: home.php");
    exit;
    // Return visitor home with no authorizations.
}
So, whats so bad? Well, if register globals is on, and you haven't secured what can pass through your script, in order to access your CC Management system (this is an example, hope nobody has really done something like this...), you would need to send your uri as http://yoursite.com/yourscript.php?allowedaccess=1
Tada, complete control. This is assuming that they know the url and variables required. Sure, there are more simplistic methods around of gathering whats allowed and whats not, but I personally use a global feature with allowed arrays to pass through. The easiest way I can think of to help prevent such attacks if say your register globals are on (which I personally find a lot of servers doing), is to unset whats important. So, at the very beginning the the code snippet, your would have
<?php
unset($allowedaccess);
This way if its sent, its ignored.
Last edited by Fou-Lu; 10-19-2004 at 11:19 AM..
Fou-Lu is offline   Reply With Quote
Reply

Bookmarks

Jump To Top of Thread


« Previous Thread | Next Thread »
Thread Tools
Rate This Thread
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT +1. The time now is 06:05 AM.
Advertisement
Log in to turn off these ads.