Register_Globals

[bandboy]

I have read some articles over Register_Globals being off and a security risk when they are ON, but still i am confused as to why some script authors need Register_Globals to be enabled (or ON) to let their scripts work. One such example is WHMCS. What exactly does Register_Globals have to do and why should it be enabled for such scripts to work?

 

[WorldCom]

Assumming your talking about php scripting. Scripts that requrire Register Globals be turned on are usually outdated and should be avoided. Register Globals were found to be a security breach and for the most part, hosting providers will have them turned off.

Without going into a big explanation, with Register Globals OFF, you are forced to write more secure scripts. Better for you, better for your database ... better for any clients data.
I know cause I wrote scripts using Global Variables not realizing the potential security flaws. I have since changed them all using more secure code.

Here's an article form the PHP manual.
Click Here

 

[bandboy]

Assumming your talking about php scripting. Scripts that requrire Register Globals be turned on are usually outdated and should be avoided.

Thanks for your reply and it does fit in for most scripts. Remember WHMCS script also requires Register_Global to be ON, so does it mean it is outdated and be avoided?

 

[WorldCom]

I am very surprise that this scipt requires that.
Globals on is a security risk. So you decide if it's worth it.
Personally, I would look for something else.

I don't profess to be an expert on PHP programming, but there a few important things that I've learned. Security is tops.

If you like, have a look at the forum below and search for Register Globals. You can see the response of some real experts
PHP Forum

 

[othellotech]

What exactly does Register_Globals have to do and why should it be enabled for such scripts to work?

IMHO its required to be on to accomodate for lazy code.
Its is sad when commercial applications cant be securely coded and work with globals off.

 

[bandboy]

Yeah, pretty much what makes me wonder why should such scripts be sold in first place if script author is too lazy to secure stuff?

 

[WorldCom]

IMHO its required to be on to accomodate for lazy code.
Its is sad when commercial applications cant be securely coded and work with globals off.

That is correct ..... it is for us lazy people
I got totally caught off guard when a host I was using upgraded PHP and turned the globals off. Nothing would work and I had to go in and re-write all the code to conform. I learned my lesson though.

This is not to say that its' bad software, they just need to update it for the security changes in PHP. I would think that they would be working on that. If I were going to purchase it, I definately would write to them and tell them my concerns.

Now I hear the next version is not going to allow short tags .... for those that know php, <? as opposed to <?php.
All my code now already has <?php just in case

 

[HostingHelpGuy]

htaccess and software titles

There are various php titles that do require globals to be turned on, and it seems to me that typically has more to do with the original coding than a lack of concern for security.

.htaccess commands can be used to set globals as needed (unless phpsuexec is enabled and php is running as cgi). That allows you to turn globals off for given directories instead of for your whole website, thereby minimizing the risks involved.

It's a one line addition as follows:

Disable globals:

php_flag register_globals off
or
php_value register_globals 0


To enable globals for a specific directory (or app)

php_flag register_globals on
or
php_value register_globals 1