register globals?

[naderman]

Hehe. Nice idea. Well the funny thing with me is that my register_globals are off global and locally as the phpinfo says however phpbb still thinks it's on. Well. I will see that the future brings ^^.

Interesting. What PHP version are you using? (Maybe you could even send me what output phpinfo() gives)

[Obi_Wan]

I use php 4.4.1 at the moment. I'll send you the output via PM because not everyone has to know the link to a phpinfo file

[APTX]

phpBB3 will no longer allow the register_globals setting to be turned on.

Stupid CVS... it changes...

[cellpack]

umm the host have said its turned on, but they have no plans to turn it off, is this bad?? the .htaccess wont control it either!

i hope i can still use phpbb!

[DeadEye686]

umm the host have said its turned on, but they have no plans to turn it off, is this bad?? the .htaccess wont control it either!

i hope i can still use phpbb!

This is VERY bad. I am astounded that a host who knows anything about what they're doing (which seems unlikely in this scenario) would leave globals on. It is a MASSIVE security risk.

[A_Jelly_Doughnut]

I disagree about leaving it on: Register Globals are still used by far too many PHP applications. That isn't to say it isn't a security risk, but turning it off is a bad idea from a user's usability standpoint. Further, it is only a security risk if an insecure script is run on the server, and if other things on the server are set up securely, it would only be a risk for the user who uses an insecure application.

The good news: PHP developers are removing the feature in PHP6, along with magic quotes. Victory in canned pineapple!

[Obi_Wan]

The good news: PHP developers are removing the feature in PHP6, along with magic quotes. Victory in canned pineapple!

How do you mean that? Will they remove register globals completely?

[Nuttyguy]

umm the host have said its turned on, but they have no plans to turn it off, is this bad?? the .htaccess wont control it either!

i hope i can still use phpbb!

im not sure exactly how this works, but couldnt someone who wants to run phpBB3 on a host with them on just change a few lines in the installation script to make it not check?

[Obi_Wan]

Yes you can. I had to change one line to make it work with me because the installer didn't recognise on my server that register globals were off.

[Nuttyguy]

Yes you can. I had to change one line to make it work with me because the installer didn't recognise on my server that register globals were off.

I just tried it and it worked. Heres what to do: (sorry if this breaks the rules)

open install/install.php

find and delete

<tr>
<td>&bull;&nbsp;<b><?php echo $lang['PHP_REGISTER_GLOBALS']; ?>: </b></td>
<td><?php
if (@ini_get('register_globals') || strtolower(@ini_get('register_globals')) == 'on')
{
$passed['db'] = false;
echo '<b style="color:red">' . $lang['NO'] . '</b>';
}
else
{
echo '<b style="color:green">' . $lang['YES'] . '</b>';
}
?></td>
</tr>