register globals?

Obi_Wan · Post by **Obi_Wan** » Sun Jan 15, 2006 10:11 am

I just deleted

$passed['db'] = false;

. I think that was easier.

Nuttyguy · Post by **Nuttyguy** » Sun Jan 15, 2006 10:40 am

my fix completly gets rid of the register globals check... your fix just makes it so no matter what errors come up, you can still install the board

Stallyon · Post by **Stallyon** » Sun Jan 15, 2006 12:00 pm

If a host will not allow you to turn off register globals AT ALL, I would consider a new host. That's why hiring a dedicated or having your own server rawks. You can set everything exactly how you need and install what you like.

A_Jelly_Doughnut · Post by **A_Jelly_Doughnut** » Sun Jan 15, 2006 3:51 pm

Obi_Wan wrote: How do you mean that? Will they remove register globals completely?

Yes, exactly.

And to stallyon, I repeat my earlier post in this topic. There is no incentive for hosts to turn off register globals because many n00b php coders still use it. A dedicated server is great, but there is no reason to buy one just to make a LAMP app run.

Obi_Wan · Post by **Obi_Wan** » Sun Jan 15, 2006 4:00 pm

A_Jelly_Doughnut wrote:
Obi_Wan wrote: How do you mean that? Will they remove register globals completely?
Yes, exactly.

And to stallyon, I repeat my earlier post in this topic. There is no incentive for hosts to turn off register globals because many n00b php coders still use it. A dedicated server is great, but there is no reason to buy one just to make a LAMP app run.

Hehe I was one of them who used register globals always. But I changed a few years ago

. A lot of books I know always show how to use vars from post or get with register globals.

Post by **Paul** » Sun Jan 15, 2006 8:12 pm

Nuttyguy wrote:
Obi_Wan wrote: Yes you can. I had to change one line to make it work with me because the installer didn't recognise on my server that register globals were off.
I just tried it and it worked. Heres what to do: (sorry if this breaks the rules)

open install/install.php

find and delete
<tr>
<td>• <?php echo $lang['PHP_REGISTER_GLOBALS']; ?>: </td>
<td><?php
if (@ini_get('register_globals') || strtolower(@ini_get('register_globals')) == 'on')
{
$passed['db'] = false;
echo '' . $lang['NO'] . '';
}
else
{
echo '' . $lang['YES'] . '';
}
?></td>
</tr>

This code has been inserted last week. It is much safer to disable it.

cellpack · Post by **cellpack** » Tue Jan 17, 2006 8:26 am

its a very good idea having a check glad to know phpbb care! its a shame the host leaves it enabled but i suppose it would be a big change if the server hosts changed it, bet it could cause alot of frustration amongst people who have spent time coding with this enabled!

Graham · Post by **Graham** » Tue Jan 17, 2006 6:07 pm

A_Jelly_Doughnut wrote: There is no incentive for hosts to turn off register globals because many n00b php coders still use it.

Actually, that is a very good reason to turn it off

Now back to the original topic, whilst we are not 100% decided yet on whether we will refuse to install on systems with this enabled (the inclusion at this stage was a way for me to guage the reaction from people trying it and find problems), it is quite likely that we will do so.

Now yes, it is easy to remove that check from the code, but clearly if you do so, you run at your own risk for any problems which may arise via that route

APTX · Post by **APTX** » Tue Jan 17, 2006 10:07 pm

Graham aren't you deleting any variables that were created via register_globals=on? Or was that removed now? Becopuse now the only thing that refuses to work with regoster_globals=on is the install script... unless CVS changed again.

Yoda_IRC · Post by **Yoda_IRC** » Tue Jan 17, 2006 10:24 pm

Surely a script can be written such that having register globals on won't cause a security risk? Admitidly this is alot harder with bigger apps especially due to PHP being loose typed which means a typo is a valid variable and obviously if you didn't mean to type it that way then its not going to be initilized.

You can change some PHP settings from a php script with ini_set(), unfortunatly (if I am reading the manual right) this does not work for register_globals, it can only be set in php.ini, .htaccess or httpd.conf. Of course this makes sense if its turned off for security reason as it prevents a users script trying to turn it on. But surely the other way is ok? oh well the permissions just aren't written that way.

magic_quotes being turned off? that could cause LOTS of problems, I know people who still rely on it for secuirty, my scripts currently do. But I am in the process of changing them so that escaping for SQL is done by a DB specific function so it escapes what it needs to. Problem is it first has to reverse the auto quoting, which I guess is why they may want to turn it off. Atleast it will fix the problems where you echo soething to the screan that the user typed in and you get backslashes before your speech marks and single quotes.

I can't imagine it is an incompetent host, its off by default so they would have had to explicitly looked for and re-enabled it. If they didn't know about PHP they would have set it to a default value surely?

The question is, apart from the check does phpBB rely on the globals being off? i.e. are there uninitilized variables? I seem to remember something about phpBB setting a variable (something like 'inphpbb') to check wether a file is being included properly, could I direct page load specifying the correct variable name in the URL cause a problem? or is that not in phpBB3?

Development Discussion Board

register globals?

Re: register globals?

Re: register globals?

Re: register globals?

Re: register globals?

Re: register globals?

Re: register globals?

Re: register globals?

Re: register globals?

Re: register globals?

Re: register globals?