Topic awaiting preservation: regarding register_globals in php (Page 1 of 1) $Pages that link to <a href="https://ozoneasylum.com/backlink?for=12324" title="Pages that link to Topic awaiting preservation: regarding register_globals in php (Page 1 of 1)" rel="nofollow" >Topic awaiting preservation: regarding register_globals in php <span class="small">(Page 1 of 1)</span>\$

DmS Paranoid (IV) Inmate From: Sthlm, Sweden Insane since: Oct 2000	posted 07-22-2002 23:09 Hi there I'm working with user authentication and sessions at the moment and my dev-enviroment has register_globals turned on. I know that opens a security hole that I'd like to avoid. However, I don't know in advance if the server where this will reside has it turned off or on. Is there any problems I can expect if I code for register_globals = off and they are turned on on the next server? /Dan {cell 260} -{ a vibration is a movement that doesn't know which way to go }-
Emperor Maniac (V) Mad Scientist with Finglongers From: Cell 53, East Wing Insane since: Jul 2001	posted 07-23-2002 01:52 DmS: You could turn them off using php_flag in your .htaccess file: code: php_flag register_globals off However, I believe you have to have AllowOverride (in the config) set to Options (not None) so you might want to check if thats set up or can be easily changed. Anyway I think thats right but you can always try it out and see ___________________ Emps FAQs: Emperor
Tyberius Prime Paranoid (IV) Mad Scientist with Finglongers From: Germany Insane since: Sep 2001	posted 07-23-2002 13:38 option b) call, at the very begining of your script (for example, in your main include file), these handy dandy functions. They destroy all the globals that came in from the user. function trashgets() //destroys the easy $varname passed by get. security measure. { global $HTTP_GET_VARS; foreach ($HTTP_GET_VARS as $aKey => $aVar) { $aVar = trim(addslashes(strip_tags($aVar))); unset($$aKey); } } function trashposts() //destroys the easy $varnames passed by a post. security measure { global $HTTP_POST_VARS; foreach ($HTTP_POST_VARS as $aKey => $aVar) { $aVar = trim(addslashes(strip_tags($aVar))); unset($$aKey); } } function trashcookies() //destroys the easy $varnames passed by a post. security measure { global $HTTP_COOKIE_VARS; foreach ($HTTP_COOKIE_VARS as $aKey => $aVar) { $aVar = trim(addslashes(strip_tags($aVar))); unset($$aKey); unset($HTTP_COOKIE_VARS[$aKey]); } } so long, Tyberius Prime
DmS Paranoid (IV) Inmate From: Sthlm, Sweden Insane since: Oct 2000	posted 07-23-2002 15:24 Thanx both! I'll look into it some more. One thing is for sure, life in php-land is a lot easier with "register_globals = on" (either that, or I'm doing something wrong so far...). Smart functions there TP Sometimes the simple ways are good ways! /Dan {cell 260} -{ a vibration is a movement that doesn't know which way to go }-

Topic awaiting preservation: regarding register_globals in php (Page 1 of 1) $Pages that link to <a href="https://ozoneasylum.com/backlink?for=12324" title="Pages that link to Topic awaiting preservation: regarding register_globals in php (Page 1 of 1)" rel="nofollow" >Topic awaiting preservation: regarding register_globals in php <span class="small">(Page 1 of 1)</span>\$

DmS
Paranoid (IV) Inmate

From: Sthlm, Sweden
Insane since: Oct 2000

posted 07-22-2002 23:09

Hi there
I'm working with user authentication and sessions at the moment and my dev-enviroment has register_globals turned on. I know that opens a security hole that I'd like to avoid.
However, I don't know in advance if the server where this will reside has it turned off or on.
Is there any problems I can expect if I code for register_globals = off and they are turned on on the next server?
/Dan

{cell 260}
-{ a vibration is a movement that doesn't know which way to go }-

Emperor
Maniac (V) Mad Scientist with Finglongers

From: Cell 53, East Wing
Insane since: Jul 2001

posted 07-23-2002 01:52

DmS: You could turn them off using php_flag in your .htaccess file:

code:

php_flag register_globals off

However, I believe you have to have AllowOverride (in the config) set to Options (not None) so you might want to check if thats set up or can be easily changed.

Anyway I think thats right but you can always try it out and see

___________________
Emps

FAQs: Emperor

Tyberius Prime
Paranoid (IV) Mad Scientist with Finglongers

From: Germany
Insane since: Sep 2001

posted 07-23-2002 13:38

option b)
call, at the very begining of your script (for example, in your main include file),
these handy dandy functions.
They destroy all the globals that came in from the user.

function trashgets() //destroys the easy $varname passed by get. security measure.
{
global $HTTP_GET_VARS;
foreach ($HTTP_GET_VARS as $aKey => $aVar)
{
$aVar = trim(addslashes(strip_tags($aVar)));
unset($$aKey);
}
}

function trashposts() //destroys the easy $varnames passed by a post. security measure
{
global $HTTP_POST_VARS;
foreach ($HTTP_POST_VARS as $aKey => $aVar)
{
$aVar = trim(addslashes(strip_tags($aVar)));
unset($$aKey);
}
}
function trashcookies() //destroys the easy $varnames passed by a post. security measure
{
global $HTTP_COOKIE_VARS;
foreach ($HTTP_COOKIE_VARS as $aKey => $aVar)
{
$aVar = trim(addslashes(strip_tags($aVar)));
unset($$aKey);
unset($HTTP_COOKIE_VARS[$aKey]);
}
}

so long,

Tyberius Prime

DmS
Paranoid (IV) Inmate

From: Sthlm, Sweden
Insane since: Oct 2000

posted 07-23-2002 15:24

Thanx both!
I'll look into it some more.
One thing is for sure, life in php-land is a lot easier with "register_globals = on" (either that, or I'm doing something wrong so far...).
Smart functions there TP Sometimes the simple ways are good ways!
/Dan

{cell 260}
-{ a vibration is a movement that doesn't know which way to go }-