Jump to content

[SOLVED] multi-site register_globals

theycallmepj

By theycallmepj
in PHP Coding Help

 Share

Recommended Posts

theycallmepj Newbie

theycallmepj

Posted
Posted
I have a few sites on my web server. From what I understand, having register_globals turned on is a big security risk.

I have a site that is coded to use register_globals, and we currently don't have the time to re-write the entire things so it works with register_globals off. This site is secure, you need to log in using SSL to access it. The other site is not secure, and does not need register_globals to be turn on, but has several applications are vulnerable because it is turned on. We have had people drop email bombs on our server due to this being on.

My question is, is there a way to have register_globals on for one site, and off for another?
Thanks
-Paul
Link to comment
https://forums.phpfreaks.com/topic/32055-solved-multi-site-register_globals/
Share on other sites
bljepp69 Newbie

bljepp69

Posted
Posted
From the manual [url=http://www.php.net/manual/en/faq.misc.php#faq.misc.registerglobals]http://www.php.net/manual/en/faq.misc.php#faq.misc.registerglobals[/url]

This will emulate register_globals Off. Keep in mind, that this code should be called at the very beginning of your script, or after session_start() if you use it to start your session.

[code]
<?php
// Emulate register_globals off
function unregister_GLOBALS()
{
  if (!ini_get('register_globals')) {
      return;
  }

  // Might want to change this perhaps to a nicer error
  if (isset($_REQUEST['GLOBALS']) || isset($_FILES['GLOBALS'])) {
      die('GLOBALS overwrite attempt detected');
  }

  // Variables that shouldn't be unset
  $noUnset = array('GLOBALS',  '_GET',
                    '_POST',    '_COOKIE',
                    '_REQUEST', '_SERVER',
                    '_ENV',    '_FILES');

  $input = array_merge($_GET,    $_POST,
                        $_COOKIE, $_SERVER,
                        $_ENV,    $_FILES,
                        isset($_SESSION) && is_array($_SESSION) ? $_SESSION : array());
 
  foreach ($input as $k => $v) {
      if (!in_array($k, $noUnset) && isset($GLOBALS[$k])) {
          unset($GLOBALS[$k]);
      }
  }
}

unregister_GLOBALS();

?> 
[/code]
theycallmepj Newbie

theycallmepj

Posted
  • Author
Posted
Thanks for the help

Is there a way to do it site wide, instead of putting that script in the pages of the applications on my website

I read something that it can be done with a .htaccess file. I haven't done much with .htaccess files, but I have seen if you put:
[i]php_flag register_globals off[/i]
in a .htaccess file it should turn it off.


Is there a way for me to test that? If I put the .htaccess in the root of the website directory, will it cover the entire directory recursively? Or do I have to put that file into every directory within the root of the website?
alpine Member

alpine

Posted
Posted
Put it in the main folder and it should work in all folders beneath it.

Test it with something silly like this, but set the adressbar like file.php?var=hello
[code]

<?php

echo "You see this ? --> ". $var ." <-- If not, globals is Off";

?>

[/code]
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.