Discussion of general topics related to the new version and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Forum rules
Discussion of general topics related to the new release and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
If a host will not allow you to turn off register globals AT ALL, I would consider a new host. That's why hiring a dedicated or having your own server rawks. You can set everything exactly how you need and install what you like.
Obi_Wan wrote:
How do you mean that? Will they remove register globals completely?
Yes, exactly.
And to stallyon, I repeat my earlier post in this topic. There is no incentive for hosts to turn off register globals because many n00b php coders still use it. A dedicated server is great, but there is no reason to buy one just to make a LAMP app run.
Obi_Wan wrote:
How do you mean that? Will they remove register globals completely?
Yes, exactly.
And to stallyon, I repeat my earlier post in this topic. There is no incentive for hosts to turn off register globals because many n00b php coders still use it. A dedicated server is great, but there is no reason to buy one just to make a LAMP app run.
Hehe I was one of them who used register globals always. But I changed a few years ago . A lot of books I know always show how to use vars from post or get with register globals.
Obi_Wan wrote:
Yes you can. I had to change one line to make it work with me because the installer didn't recognise on my server that register globals were off.
I just tried it and it worked. Heres what to do: (sorry if this breaks the rules)
its a very good idea having a check glad to know phpbb care! its a shame the host leaves it enabled but i suppose it would be a big change if the server hosts changed it, bet it could cause alot of frustration amongst people who have spent time coding with this enabled!
A_Jelly_Doughnut wrote:
There is no incentive for hosts to turn off register globals because many n00b php coders still use it.
Actually, that is a very good reason to turn it off
Now back to the original topic, whilst we are not 100% decided yet on whether we will refuse to install on systems with this enabled (the inclusion at this stage was a way for me to guage the reaction from people trying it and find problems), it is quite likely that we will do so.
Now yes, it is easy to remove that check from the code, but clearly if you do so, you run at your own risk for any problems which may arise via that route
Graham aren't you deleting any variables that were created via register_globals=on? Or was that removed now? Becopuse now the only thing that refuses to work with regoster_globals=on is the install script... unless CVS changed again.
Surely a script can be written such that having register globals on won't cause a security risk? Admitidly this is alot harder with bigger apps especially due to PHP being loose typed which means a typo is a valid variable and obviously if you didn't mean to type it that way then its not going to be initilized.
You can change some PHP settings from a php script with ini_set(), unfortunatly (if I am reading the manual right) this does not work for register_globals, it can only be set in php.ini, .htaccess or httpd.conf. Of course this makes sense if its turned off for security reason as it prevents a users script trying to turn it on. But surely the other way is ok? oh well the permissions just aren't written that way.
magic_quotes being turned off? that could cause LOTS of problems, I know people who still rely on it for secuirty, my scripts currently do. But I am in the process of changing them so that escaping for SQL is done by a DB specific function so it escapes what it needs to. Problem is it first has to reverse the auto quoting, which I guess is why they may want to turn it off. Atleast it will fix the problems where you echo soething to the screan that the user typed in and you get backslashes before your speech marks and single quotes.
I can't imagine it is an incompetent host, its off by default so they would have had to explicitly looked for and re-enabled it. If they didn't know about PHP they would have set it to a default value surely?
The question is, apart from the check does phpBB rely on the globals being off? i.e. are there uninitilized variables? I seem to remember something about phpBB setting a variable (something like 'inphpbb') to check wether a file is being included properly, could I direct page load specifying the correct variable name in the URL cause a problem? or is that not in phpBB3?