Get Paid to Participate - up to $1 per post!     Twitter     Facebook     Google+
Hosting Discussion
 

forgot password?



Reply


Old
  Post #1 (permalink)   03-23-2007, 03:12 AM
HD Addict
 
Join Date: Jan 2006
Posts: 203

Status: bandboy is offline
I have read some articles over Register_Globals being off and a security risk when they are ON, but still i am confused as to why some script authors need Register_Globals to be enabled (or ON) to let their scripts work. One such example is WHMCS. What exactly does Register_Globals have to do and why should it be enabled for such scripts to work?
 
 
 


Old
  Post #2 (permalink)   03-23-2007, 06:05 AM
HD Newbie
 
Join Date: Jun 2006
Location: Ontario, Canada
Posts: 49
Send a message via MSN to WorldCom Send a message via Skype™ to WorldCom

Status: WorldCom is offline
Assumming your talking about php scripting. Scripts that requrire Register Globals be turned on are usually outdated and should be avoided. Register Globals were found to be a security breach and for the most part, hosting providers will have them turned off.

Without going into a big explanation, with Register Globals OFF, you are forced to write more secure scripts. Better for you, better for your database ... better for any clients data.
I know cause I wrote scripts using Global Variables not realizing the potential security flaws. I have since changed them all using more secure code.

Here's an article form the PHP manual.
Click Here
__________________
goDaddy Ca$hback
Earn 10% cash back for domain registrations and renewals at goDaddy!
 
 
 


Old
  Post #3 (permalink)   03-23-2007, 11:15 PM
HD Addict
 
Join Date: Jan 2006
Posts: 203

Status: bandboy is offline
Quote:
Originally Posted by WorldCom
Assumming your talking about php scripting. Scripts that requrire Register Globals be turned on are usually outdated and should be avoided.
Thanks for your reply and it does fit in for most scripts. Remember WHMCS script also requires Register_Global to be ON, so does it mean it is outdated and be avoided?
 
 
 


Old
  Post #4 (permalink)   03-24-2007, 07:35 AM
HD Newbie
 
Join Date: Jun 2006
Location: Ontario, Canada
Posts: 49
Send a message via MSN to WorldCom Send a message via Skype™ to WorldCom

Status: WorldCom is offline
I am very surprise that this scipt requires that.
Globals on is a security risk. So you decide if it's worth it.
Personally, I would look for something else.

I don't profess to be an expert on PHP programming, but there a few important things that I've learned. Security is tops.

If you like, have a look at the forum below and search for Register Globals. You can see the response of some real experts
PHP Forum
__________________
goDaddy Ca$hback
Earn 10% cash back for domain registrations and renewals at goDaddy!
 
 
 


Old
  Post #5 (permalink)   03-25-2007, 01:04 AM
HD Master
 
othellotech's Avatar
 
Join Date: Jul 2003
Location: London, UK
Posts: 429
Send a message via Skype™ to othellotech

Status: othellotech is offline
Quote:
Originally Posted by bandboy
What exactly does Register_Globals have to do and why should it be enabled for such scripts to work?
IMHO its required to be on to accomodate for lazy code.
Its is sad when commercial applications cant be securely coded and work with globals off.
__________________
Rob Golding Astutium Ltd (AS29527) ICANN Accredited Registrar, Nominet Member, eNom ETP
UK VPS & Private Cloud Servers | UK Linux + Windows Shared Hosting | London Colo |
Domain Registration + Domain Resellers (WHMCS compatible)
 
 
 


Old
  Post #6 (permalink)   03-25-2007, 02:21 PM
HD Addict
 
Join Date: Jan 2006
Posts: 203

Status: bandboy is offline
Yeah, pretty much what makes me wonder why should such scripts be sold in first place if script author is too lazy to secure stuff?
 
 
 


Old
  Post #7 (permalink)   03-25-2007, 02:22 PM
HD Newbie
 
Join Date: Jun 2006
Location: Ontario, Canada
Posts: 49
Send a message via MSN to WorldCom Send a message via Skype™ to WorldCom

Status: WorldCom is offline
Quote:
Originally Posted by othellotech
IMHO its required to be on to accomodate for lazy code.
Its is sad when commercial applications cant be securely coded and work with globals off.
That is correct ..... it is for us lazy people
I got totally caught off guard when a host I was using upgraded PHP and turned the globals off. Nothing would work and I had to go in and re-write all the code to conform. I learned my lesson though.

This is not to say that its' bad software, they just need to update it for the security changes in PHP. I would think that they would be working on that. If I were going to purchase it, I definately would write to them and tell them my concerns.

Now I hear the next version is not going to allow short tags .... for those that know php, <? as opposed to <?php.
All my code now already has <?php just in case
__________________
goDaddy Ca$hback
Earn 10% cash back for domain registrations and renewals at goDaddy!
 
 
 


Old
  Post #8 (permalink)   03-30-2007, 03:09 PM
HD Newbie
 
Join Date: Mar 2007
Posts: 2

Status: HostingHelpGuy is offline
There are various php titles that do require globals to be turned on, and it seems to me that typically has more to do with the original coding than a lack of concern for security.

.htaccess commands can be used to set globals as needed (unless phpsuexec is enabled and php is running as cgi). That allows you to turn globals off for given directories instead of for your whole website, thereby minimizing the risks involved.

It's a one line addition as follows:

Disable globals:

php_flag register_globals off
or
php_value register_globals 0


To enable globals for a specific directory (or app)

php_flag register_globals on
or
php_value register_globals 1
__________________
Best Regards,
HostingHelpGuy
InMotion Hosting, Inc
http://www.inmotionhosting.com
 
 
 
Reply

Thread Tools

New Post New Post   Old Post Old Post
Posting Rules:
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On
Sponsored By: