Tip: Click here to scan for System Errors and Optimize PC performance

[artcoder]

June 28th, 2009, 10:41 am

I put ...

Code: [ Download ] [ Select ]

php_value register_globals 0

in my .htaccess file and got a 500 server error.

Why? Is that not how I am supposed to disable register globals?

When I remove that line, it is fine.

Where is a good tutorial on how to disable register_globals?

[UPSGuy]

June 28th, 2009, 10:48 am

Your wording is incorrect. Try this...

Code: [ Download ] [ Select ]

php_flag register_globals off

http://blog.dreamhosters.com/kbase/index.cgi?area=3070

[joebert]

June 28th, 2009, 1:23 pm

Quote:

PHP_INI_ALL in PHP <= 4.2.3. Deprecated in 5.3.0. Removed in PHP 6.0.0.

http://www.php.net/manual/en/ini.core.p ... er-globals

July 7th, 2009, 3:07 pm

joebert wrote:

Quote:

PHP_INI_ALL in PHP <= 4.2.3. Deprecated in 5.3.0. Removed in PHP 6.0.0.

http://www.php.net/manual/en/ini.core.p ... er-globals

Agreed. I would move away from a PHP 4x server. PHP 5 is more secure and stable.

Register globals is asking for trouble, in my opinion at least.

[joebert]

July 7th, 2009, 7:40 pm

I just realized I'm constantly reading that register_globals is bad, and the basic reason of why it's bad, but I rarely see an innocent example of how it can be bad even if you're not using it.

Take this simple code for example.

Code: [ Download ] [ Select ]

<?php
 
if(false)
{
    $permitted = true;
}
 
if(isset($permitted))
{
    echo 'Access Granted';
    exit;
}
echo 'Access Denied';
 
?>

1. <?php
2.  
3. if(false)
4. {
5.     $permitted = true;
6. }
7.  
8. if(isset($permitted))
9. {
10.     echo 'Access Granted';
11.     exit;
12. }
13. echo 'Access Denied';
14.  
15. ?>

Under no circumstances should access ever be granted. "if(false)" should prevent the access flag from ever being set.

However if register_globals is turned on, I can set that flag myself in the URL like so "file.php?permitted=1" bypassing any real test that would be in place of that "if(false)".

That's just a simple example of how it can go bad. Imagine if you had an automated system setup to process orders at your store and the code used a similar flag to determine whether an employee discount should be applied at the end of a checkout.