Jump to content


Photo

Need to turn off Register Globals on shared site


  • Please log in to reply
6 replies to this topic

#1 JRS

JRS
  • Members
  • PipPipPip
  • Advanced Member
  • 45 posts

Posted 26 April 2006 - 03:29 AM

Hello,

I have been developing an app. locally with Register_Globals set to OFF. However, just found out my HOST, has Register_Globals turned ON. This has caused some weird errors in my code (data corruption in session variables).

How do I turn off register_globals if I don't have access to php.ini? Can I request the ISP to turn it off? Are they supposed to turn it off by default?

Thanks in advance
JRS

#2 PWD

PWD
  • Members
  • PipPip
  • Member
  • 19 posts

Posted 26 April 2006 - 04:04 AM

I ran into the same thing while developing a website for a client then parked it at Yahoo! webhosting. They also had Register Globals set to ON....Made me cringe, but I was able to still initialize sessions and keep pretty secure code...

Unfortunately, no way to turn Register Globals to OFF w/o access to php.ini file. When I contacted Yahoo! they stated they had NO plans of adjusting so I had to dig deep and use define() more...
[!--fonto:Geneva--][span style="font-family:Geneva"][!--/fonto--]My Gratitude---[!--fontc--][/span][!--/fontc--]
(My gratitude in advance for helping me learn; so I may one day give as freely as you have here today)
----------
[!--sizeo:5--][span style="font-size:18pt;line-height:100%"][!--/sizeo--][!--fonto:Optima--][span style="font-family:Optima"][!--/fonto--][!--coloro:red--][span style="color:red"][!--/coloro--]PWD[!--sizec--][/span][!--/sizec--][!--colorc--][/span][!--/colorc--][!--fontc--][/span][!--/fontc--]

#3 JRS

JRS
  • Members
  • PipPipPip
  • Advanced Member
  • 45 posts

Posted 26 April 2006 - 04:19 AM

[!--quoteo(post=368728:date=Apr 26 2006, 12:04 AM:name=PWD)--][div class=\'quotetop\']QUOTE(PWD @ Apr 26 2006, 12:04 AM) View Post[/div][div class=\'quotemain\'][!--quotec--]
I ran into the same thing while developing a website for a client then parked it at Yahoo! webhosting. They also had Register Globals set to ON....Made me cringe, but I was able to still initialize sessions and keep pretty secure code...

Unfortunately, no way to turn Register Globals to OFF w/o access to php.ini file. When I contacted Yahoo! they stated they had NO plans of adjusting so I had to dig deep and use define() more...
[/quote]
PWD,
Thanks for the feedback. Can I ask how you used define() to solve any potential issues? I read the php manual with regards to Register_globals and not really clear on what is causing the problems and how it can be fixed.
Thanks
JRS


#4 wildteen88

wildteen88
  • Staff Alumni
  • Advanced Member
  • 10,482 posts
  • LocationUK, Bournemouth

Posted 26 April 2006 - 09:52 AM

In some cases webhosts may allow the use of .htaccess files. With .htaccess you can change a few settings to the server such as turning off register_globals. If you create a .htaccess file in root of where you store your website files with the following:
php_flag register_globals off

This may turn off register_globals through out your site.

#5 JRS

JRS
  • Members
  • PipPipPip
  • Advanced Member
  • 45 posts

Posted 26 April 2006 - 02:27 PM

[!--quoteo(post=368778:date=Apr 26 2006, 05:52 AM:name=wildteen88)--][div class=\'quotetop\']QUOTE(wildteen88 @ Apr 26 2006, 05:52 AM) View Post[/div][div class=\'quotemain\'][!--quotec--]
In some cases webhosts may allow the use of .htaccess files. With .htaccess you can change a few settings to the server such as turning off register_globals. If you create a .htaccess file in root of where you store your website files with the following:
php_flag register_globals off

This may turn off register_globals through out your site.
[/quote]
Wildteen88,
I checked with the webhost - they said quite a few of their clients require register_globals on - so they have enabled it on all their shared servers. Only solution is to use Virtual Private Server.

Would anyone have any guidelines as to what I should check in my application to make sure it works with register_globals ON?

I guess I will change my local setting to register_global ON to test the application.
Thanks
JRS

#6 wildteen88

wildteen88
  • Staff Alumni
  • Advanced Member
  • 10,482 posts
  • LocationUK, Bournemouth

Posted 26 April 2006 - 04:00 PM

What register_globals does is extract the variables inside the supergloabls arrays, Superglobal arrays the following variables:
$_POST, $_GET, $_SESSION, $_COOKIE etc.

Now if you have something like this:
<?php

if(isset($_POST['submit']))
{
    echo $_POST['formValue'];
}

?>
<form action="<?php $_SERVER['PHP_SELF']; ?>" method="post">
   <input type="text" name="formValue" /><br />
   <input type="submit" name="submit" value="Submit">
</form>
Now that wont work on your ISPs server but this will:
<?php

if(isset($submit))
{
     echo $formValue;
}

?>
<form action="<?php echo $PHP_SELF; ?>" method="post">
   <input type="text" name="formValue" /><br />
   <input type="submit" name="submit" value="Submit">
</form>
Notice the difference?

#7 JRS

JRS
  • Members
  • PipPipPip
  • Advanced Member
  • 45 posts

Posted 26 April 2006 - 04:55 PM

[!--quoteo(post=368881:date=Apr 26 2006, 12:00 PM:name=wildteen88)--][div class=\'quotetop\']QUOTE(wildteen88 @ Apr 26 2006, 12:00 PM) View Post[/div][div class=\'quotemain\'][!--quotec--]
What register_globals does is extract the variables inside the supergloabls arrays, Superglobal arrays the following variables:
$_POST, $_GET, $_SESSION, $_COOKIE etc.

[/quote]

Wildteen88,
Thanks for the example, I understand it now. This would involve me having to change quite a bit of code. What I don't understand it - most of my application still works on the hostsite. All my code involves using $_POST['index'] type access.

Also I found this code snippet from another user on the PHP.NET site for turning register globals off (simulate) - would this work? do you see any issues with this code?
(thanks rn12 in UK somewhere! for the followin code)
To fix it, you must do
[
       $unset = array_keys($_SESSION);
       foreach($unset as $rg_var){
               if(isset($$rg_var)){
                       unset($$rg_var);
               }
       }
AFTER you have called session_start().





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users