PHP Register Globals Work Around

[jj20051]

I have this older script that uses php register globals (on) . I know it's a big deal if you use it as it's a security flaw, but is there a way to work around this flaw in the script without rewriting it again?

[DarkWater]

Take the 15 minutes to rewrite, honestly.  You CAN "simulate" register_globals, but it's really inadvisable.

[jj20051]

It's Like 25 - 35 PHP Files. So If I Could Pay Someone or If Someone Could Write A Brief Tutorial On What To Fix That Would Be g8.

[DarkWater]

What kind of script is it for it to have 25-35 files?  Elaborate.

[.josh]

If you have access to php.ini you can simply set it to on..

[.josh]

oh yeah alternatively you can put

 

php_flag register_globals on

 

in your .htaccess file

[PFMaBiSmAd]

Register_globals involved magically populating same name program/post/get/cookie/session variables. Any of the following present in a script - $abc, $_POST['abc'], $_GET['abc'], $_COOKIE['abc'], $_SESSION['abc'] are all cross-populated with the same value when register_globals are on.

 

The fix is to modify your code to convert any use of session_register, session_is_registered, session_unregister... functions to use $_SESSION and change code so that it specifically references the correct $_POST, $_GET, $_COOKIE, $_SESSION, or program variable that it is expecting a value to be in.

 

The hard part in doing this is you need to determine how a variable is being used in any piece of code.

[DarkWater]

@CV: Orrrr, he could do it right and just not rely on them. =/

[.josh]

@CV: Orrrr, he could do it right and just not rely on them. =/

 

Obviously.  You gave him the warning.  It's up to him whether to accept it or not.  I'm not going to judge his situation.  Warning him about it is enough IMO.