Jump to content

Archived

This topic is now archived and is closed to further replies.

JRS

Need to turn off Register Globals on shared site

Recommended Posts

Hello,

I have been developing an app. locally with Register_Globals set to OFF. However, just found out my HOST, has Register_Globals turned ON. This has caused some weird errors in my code (data corruption in session variables).

How do I turn off register_globals if I don't have access to php.ini? Can I request the ISP to turn it off? Are they supposed to turn it off by default?

Thanks in advance
JRS

Share this post


Link to post
Share on other sites
I ran into the same thing while developing a website for a client then parked it at Yahoo! webhosting. They also had Register Globals set to ON....Made me cringe, but I was able to still initialize sessions and keep pretty secure code...

Unfortunately, no way to turn Register Globals to OFF w/o access to php.ini file. When I contacted Yahoo! they stated they had NO plans of adjusting so I had to dig deep and use define() more...

Share this post


Link to post
Share on other sites
[!--quoteo(post=368728:date=Apr 26 2006, 12:04 AM:name=PWD)--][div class=\'quotetop\']QUOTE(PWD @ Apr 26 2006, 12:04 AM) [snapback]368728[/snapback][/div][div class=\'quotemain\'][!--quotec--]
I ran into the same thing while developing a website for a client then parked it at Yahoo! webhosting. They also had Register Globals set to ON....Made me cringe, but I was able to still initialize sessions and keep pretty secure code...

Unfortunately, no way to turn Register Globals to OFF w/o access to php.ini file. When I contacted Yahoo! they stated they had NO plans of adjusting so I had to dig deep and use define() more...
[/quote]
PWD,
Thanks for the feedback. Can I ask how you used define() to solve any potential issues? I read the php manual with regards to Register_globals and not really clear on what is causing the problems and how it can be fixed.
Thanks
JRS

Share this post


Link to post
Share on other sites
In some cases webhosts may allow the use of .htaccess files. With .htaccess you can change a few settings to the server such as turning off register_globals. If you create a .htaccess file in root of where you store your website files with the following:
[code]php_flag register_globals off[/code]

This may turn off register_globals through out your site.

Share this post


Link to post
Share on other sites
[!--quoteo(post=368778:date=Apr 26 2006, 05:52 AM:name=wildteen88)--][div class=\'quotetop\']QUOTE(wildteen88 @ Apr 26 2006, 05:52 AM) [snapback]368778[/snapback][/div][div class=\'quotemain\'][!--quotec--]
In some cases webhosts may allow the use of .htaccess files. With .htaccess you can change a few settings to the server such as turning off register_globals. If you create a .htaccess file in root of where you store your website files with the following:
[code]php_flag register_globals off[/code]

This may turn off register_globals through out your site.
[/quote]
Wildteen88,
I checked with the webhost - they said quite a few of their clients require register_globals on - so they have enabled it on all their shared servers. Only solution is to use Virtual Private Server.

Would anyone have any guidelines as to what I should check in my application to make sure it works with register_globals ON?

I guess I will change my local setting to register_global ON to test the application.
Thanks
JRS

Share this post


Link to post
Share on other sites
What register_globals does is extract the variables inside the supergloabls arrays, Superglobal arrays the following variables:
$_POST, $_GET, $_SESSION, $_COOKIE etc.

Now if you have something like this:
[code]<?php

if(isset($_POST['submit']))
{
    echo $_POST['formValue'];
}

?>
<form action="<?php $_SERVER['PHP_SELF']; ?>" method="post">
   <input type="text" name="formValue" /><br />
   <input type="submit" name="submit" value="Submit">
</form>[/code]Now that wont work on your ISPs server but this will:
[code]<?php

if(isset($submit))
{
     echo $formValue;
}

?>
<form action="<?php echo $PHP_SELF; ?>" method="post">
   <input type="text" name="formValue" /><br />
   <input type="submit" name="submit" value="Submit">
</form>[/code]
Notice the difference?

Share this post


Link to post
Share on other sites
[!--quoteo(post=368881:date=Apr 26 2006, 12:00 PM:name=wildteen88)--][div class=\'quotetop\']QUOTE(wildteen88 @ Apr 26 2006, 12:00 PM) [snapback]368881[/snapback][/div][div class=\'quotemain\'][!--quotec--]
What register_globals does is extract the variables inside the supergloabls arrays, Superglobal arrays the following variables:
$_POST, $_GET, $_SESSION, $_COOKIE etc.

[/quote]

Wildteen88,
Thanks for the example, I understand it now. This would involve me having to change quite a bit of code. What I don't understand it - most of my application still works on the hostsite. All my code involves using $_POST['index'] type access.

Also I found this code snippet from another user on the PHP.NET site for turning register globals off (simulate) - would this work? do you see any issues with this code?
(thanks rn12 in UK somewhere! for the followin code)
To fix it, you must do
[code][
       $unset = array_keys($_SESSION);
       foreach($unset as $rg_var){
               if(isset($$rg_var)){
                       unset($$rg_var);
               }
       }
AFTER you have called session_start().
[/code]

Share this post


Link to post
Share on other sites

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.