register globals?

Discussion of general topics related to the new version and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Forum rules
Discussion of general topics related to the new release and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Obi_Wan
Registered User
Posts: 83
Joined: Thu Aug 28, 2003 9:32 am
Contact:

Re: register globals?

Post by Obi_Wan »

I just deleted

Code: Select all

$passed['db'] = false;
;). I think that was easier.
Image
May /dev/null be with you!

Nuttyguy
Registered User
Posts: 20
Joined: Wed Mar 09, 2005 7:41 am
Location: Lewiston, ID

Re: register globals?

Post by Nuttyguy »

my fix completly gets rid of the register globals check... your fix just makes it so no matter what errors come up, you can still install the board

User avatar
Stallyon
Registered User
Posts: 73
Joined: Mon May 31, 2004 1:30 pm
Location: BNE
Contact:

Re: register globals?

Post by Stallyon »

If a host will not allow you to turn off register globals AT ALL, I would consider a new host. That's why hiring a dedicated or having your own server rawks. You can set everything exactly how you need and install what you like.

User avatar
A_Jelly_Doughnut
Registered User
Posts: 1780
Joined: Wed Jun 04, 2003 4:23 pm

Re: register globals?

Post by A_Jelly_Doughnut »

Obi_Wan wrote: How do you mean that? Will they remove register globals completely?
Yes, exactly.

And to stallyon, I repeat my earlier post in this topic. There is no incentive for hosts to turn off register globals because many n00b php coders still use it. A dedicated server is great, but there is no reason to buy one just to make a LAMP app run.
A_Jelly_Doughnut

Obi_Wan
Registered User
Posts: 83
Joined: Thu Aug 28, 2003 9:32 am
Contact:

Re: register globals?

Post by Obi_Wan »

A_Jelly_Doughnut wrote:
Obi_Wan wrote: How do you mean that? Will they remove register globals completely?
Yes, exactly.

And to stallyon, I repeat my earlier post in this topic. There is no incentive for hosts to turn off register globals because many n00b php coders still use it. A dedicated server is great, but there is no reason to buy one just to make a LAMP app run.
Hehe I was one of them who used register globals always. But I changed a few years ago ;). A lot of books I know always show how to use vars from post or get with register globals.
Image
May /dev/null be with you!

Paul
Infrastructure Team Leader
Infrastructure Team Leader
Posts: 367
Joined: Thu Sep 16, 2004 9:02 am
Contact:

Re: register globals?

Post by Paul »

Nuttyguy wrote:
Obi_Wan wrote: Yes you can. I had to change one line to make it work with me because the installer didn't recognise on my server that register globals were off.
I just tried it and it worked. Heres what to do: (sorry if this breaks the rules)

open install/install.php

find and delete
<tr>
<td>&bull;&nbsp;<b><?php echo $lang['PHP_REGISTER_GLOBALS']; ?>: </b></td>
<td><?php
if (@ini_get('register_globals') || strtolower(@ini_get('register_globals')) == 'on')
{
$passed['db'] = false;
echo '<b style="color:red">' . $lang['NO'] . '</b>';
}
else
{
echo '<b style="color:green">' . $lang['YES'] . '</b>';
}
?></td>
</tr>
This code has been inserted last week. It is much safer to disable it.

cellpack
Registered User
Posts: 17
Joined: Mon Oct 06, 2003 1:47 pm

Re: register globals?

Post by cellpack »

its a very good idea having a check glad to know phpbb care! its a shame the host leaves it enabled but i suppose it would be a big change if the server hosts changed it, bet it could cause alot of frustration amongst people who have spent time coding with this enabled!

Graham
Registered User
Posts: 1304
Joined: Tue Mar 19, 2002 7:11 pm
Location: UK

Re: register globals?

Post by Graham »

A_Jelly_Doughnut wrote: There is no incentive for hosts to turn off register globals because many n00b php coders still use it.
Actually, that is a very good reason to turn it off ;)

Now back to the original topic, whilst we are not 100% decided yet on whether we will refuse to install on systems with this enabled (the inclusion at this stage was a way for me to guage the reaction from people trying it and find problems), it is quite likely that we will do so.

Now yes, it is easy to remove that check from the code, but clearly if you do so, you run at your own risk for any problems which may arise via that route
"So Long, and Thanks for All the Fish"

Graham
Eeek, a blog!

APTX
Registered User
Posts: 680
Joined: Thu Apr 24, 2003 12:07 pm

Re: register globals?

Post by APTX »

Graham aren't you deleting any variables that were created via register_globals=on? Or was that removed now? Becopuse now the only thing that refuses to work with regoster_globals=on is the install script... unless CVS changed again.
Don't give me my freedom out of pity!

Yoda_IRC
Registered User
Posts: 158
Joined: Tue Mar 01, 2005 10:19 pm

Re: register globals?

Post by Yoda_IRC »

Surely a script can be written such that having register globals on won't cause a security risk? Admitidly this is alot harder with bigger apps especially due to PHP being loose typed which means a typo is a valid variable and obviously if you didn't mean to type it that way then its not going to be initilized.

You can change some PHP settings from a php script with ini_set(), unfortunatly (if I am reading the manual right) this does not work for register_globals, it can only be set in php.ini, .htaccess or httpd.conf. Of course this makes sense if its turned off for security reason as it prevents a users script trying to turn it on. But surely the other way is ok? oh well the permissions just aren't written that way.

magic_quotes being turned off? that could cause LOTS of problems, I know people who still rely on it for secuirty, my scripts currently do. But I am in the process of changing them so that escaping for SQL is done by a DB specific function so it escapes what it needs to. Problem is it first has to reverse the auto quoting, which I guess is why they may want to turn it off. Atleast it will fix the problems where you echo soething to the screan that the user typed in and you get backslashes before your speech marks and single quotes.

I can't imagine it is an incompetent host, its off by default so they would have had to explicitly looked for and re-enabled it. If they didn't know about PHP they would have set it to a default value surely?

The question is, apart from the check does phpBB rely on the globals being off? i.e. are there uninitilized variables? I seem to remember something about phpBB setting a variable (something like 'inphpbb') to check wether a file is being included properly, could I direct page load specifying the correct variable name in the URL cause a problem? or is that not in phpBB3?

Post Reply