register globals?

Discussion of general topics related to the new version and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Forum rules
Discussion of general topics related to the new release and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
User avatar
naderman
Consultant
Posts: 1727
Joined: Sun Jan 11, 2004 2:11 am
Location: Karlsruhe, Germany
Contact:

Re: register globals?

Post by naderman »

Obi_Wan wrote: Hehe. Nice idea. Well the funny thing with me is that my register_globals are off global and locally as the phpinfo says however phpbb still thinks it's on. Well. I will see that the future brings ^^.
Interesting. What PHP version are you using? (Maybe you could even send me what output phpinfo() gives)

Obi_Wan
Registered User
Posts: 83
Joined: Thu Aug 28, 2003 9:32 am
Contact:

Re: register globals?

Post by Obi_Wan »

I use php 4.4.1 at the moment. I'll send you the output via PM because not everyone has to know the link to a phpinfo file ;)
Image
May /dev/null be with you!

APTX
Registered User
Posts: 680
Joined: Thu Apr 24, 2003 12:07 pm

Re: register globals?

Post by APTX »

naderman wrote: phpBB3 will no longer allow the register_globals setting to be turned on.
Stupid CVS... it changes...
Don't give me my freedom out of pity!

cellpack
Registered User
Posts: 17
Joined: Mon Oct 06, 2003 1:47 pm

Re: register globals?

Post by cellpack »

umm the host have said its turned on, but they have no plans to turn it off, is this bad?? the .htaccess wont control it either!

i hope i can still use phpbb!

DeadEye686
Registered User
Posts: 448
Joined: Mon Jul 21, 2003 7:18 pm
Contact:

Re: register globals?

Post by DeadEye686 »

cellpack wrote: umm the host have said its turned on, but they have no plans to turn it off, is this bad?? the .htaccess wont control it either!

i hope i can still use phpbb!
This is VERY bad. I am astounded that a host who knows anything about what they're doing (which seems unlikely in this scenario) would leave globals on. It is a MASSIVE security risk.

User avatar
A_Jelly_Doughnut
Registered User
Posts: 1780
Joined: Wed Jun 04, 2003 4:23 pm

Re: register globals?

Post by A_Jelly_Doughnut »

I disagree about leaving it on: Register Globals are still used by far too many PHP applications. That isn't to say it isn't a security risk, but turning it off is a bad idea from a user's usability standpoint. Further, it is only a security risk if an insecure script is run on the server, and if other things on the server are set up securely, it would only be a risk for the user who uses an insecure application.

The good news: PHP developers are removing the feature in PHP6, along with magic quotes. Victory in canned pineapple!
A_Jelly_Doughnut

Obi_Wan
Registered User
Posts: 83
Joined: Thu Aug 28, 2003 9:32 am
Contact:

Re: register globals?

Post by Obi_Wan »

A_Jelly_Doughnut wrote: The good news: PHP developers are removing the feature in PHP6, along with magic quotes. Victory in canned pineapple!
How do you mean that? Will they remove register globals completely?
Image
May /dev/null be with you!

Nuttyguy
Registered User
Posts: 20
Joined: Wed Mar 09, 2005 7:41 am
Location: Lewiston, ID

Re: register globals?

Post by Nuttyguy »

cellpack wrote: umm the host have said its turned on, but they have no plans to turn it off, is this bad?? the .htaccess wont control it either!

i hope i can still use phpbb!
im not sure exactly how this works, but couldnt someone who wants to run phpBB3 on a host with them on just change a few lines in the installation script to make it not check?

Obi_Wan
Registered User
Posts: 83
Joined: Thu Aug 28, 2003 9:32 am
Contact:

Re: register globals?

Post by Obi_Wan »

Yes you can. I had to change one line to make it work with me because the installer didn't recognise on my server that register globals were off.
Image
May /dev/null be with you!

Nuttyguy
Registered User
Posts: 20
Joined: Wed Mar 09, 2005 7:41 am
Location: Lewiston, ID

Re: register globals?

Post by Nuttyguy »

Obi_Wan wrote: Yes you can. I had to change one line to make it work with me because the installer didn't recognise on my server that register globals were off.
I just tried it and it worked. Heres what to do: (sorry if this breaks the rules)

open install/install.php

find and delete
<tr>
<td>&bull;&nbsp;<b><?php echo $lang['PHP_REGISTER_GLOBALS']; ?>: </b></td>
<td><?php
if (@ini_get('register_globals') || strtolower(@ini_get('register_globals')) == 'on')
{
$passed['db'] = false;
echo '<b style="color:red">' . $lang['NO'] . '</b>';
}
else
{
echo '<b style="color:green">' . $lang['YES'] . '</b>';
}
?></td>
</tr>

Post Reply