Disable register_globals using htaccess

  • artcoder
  • Student
  • Student
  • User avatar
  • Posts: 89
  • Loc: United States

Post 3+ Months Ago

I put ...

Code: [ Select ]
php_value register_globals 0


in my .htaccess file and got a 500 server error.

Why? Is that not how I am supposed to disable register globals?

When I remove that line, it is fine.

Where is a good tutorial on how to disable register_globals?
  • Anonymous
  • Bot
  • No Avatar
  • Posts: ?
  • Loc: Ozzuland
  • Status: Online

Post 3+ Months Ago

  • UPSGuy
  • Lurker ಠ_ಠ
  • Web Master
  • User avatar
  • Posts: 2733
  • Loc: Nashville, TN

Post 3+ Months Ago

Your wording is incorrect. Try this...
Code: [ Select ]
php_flag register_globals off


http://blog.dreamhosters.com/kbase/index.cgi?area=3070
  • joebert
  • Fart Bubbles
  • Genius
  • User avatar
  • Posts: 13502
  • Loc: Florida

Post 3+ Months Ago

Quote:
PHP_INI_ALL in PHP <= 4.2.3. Deprecated in 5.3.0. Removed in PHP 6.0.0.


http://www.php.net/manual/en/ini.core.p ... er-globals
  • LogicWeb
  • Newbie
  • Newbie
  • User avatar
  • Posts: 7

Post 3+ Months Ago

joebert wrote:
Quote:
PHP_INI_ALL in PHP <= 4.2.3. Deprecated in 5.3.0. Removed in PHP 6.0.0.


http://www.php.net/manual/en/ini.core.p ... er-globals


Agreed. I would move away from a PHP 4x server. PHP 5 is more secure and stable.

Register globals is asking for trouble, in my opinion at least.
  • joebert
  • Fart Bubbles
  • Genius
  • User avatar
  • Posts: 13502
  • Loc: Florida

Post 3+ Months Ago

I just realized I'm constantly reading that register_globals is bad, and the basic reason of why it's bad, but I rarely see an innocent example of how it can be bad even if you're not using it.

Take this simple code for example.

Code: [ Select ]
<?php
 
if(false)
{
    $permitted = true;
}
 
if(isset($permitted))
{
    echo 'Access Granted';
    exit;
}
echo 'Access Denied';
 
?>
  1. <?php
  2.  
  3. if(false)
  4. {
  5.     $permitted = true;
  6. }
  7.  
  8. if(isset($permitted))
  9. {
  10.     echo 'Access Granted';
  11.     exit;
  12. }
  13. echo 'Access Denied';
  14.  
  15. ?>


Under no circumstances should access ever be granted. "if(false)" should prevent the access flag from ever being set.

However if register_globals is turned on, I can set that flag myself in the URL like so "file.php?permitted=1" bypassing any real test that would be in place of that "if(false)".

That's just a simple example of how it can go bad. Imagine if you had an automated system setup to process orders at your store and the code used a similar flag to determine whether an employee discount should be applied at the end of a checkout.

Post Information

  • Total Posts in this topic: 5 posts
  • Users browsing this forum: No registered users and 20 guests
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
 

© 1998-2014. Ozzu® is a registered trademark of Unmelted, LLC.