Question for you php Gurus about security...

Is it a security risk to turn  register_globals ON and why?

[Join us @ facebook]

Not really. It is just old fashion programming.

I can't think of a security problem due to registered globals.

[Free WordPress Themes]

there are risks if the scripts is bad coded,

some unvalidated $var can be replaced with some url like www.domain.com/?var=bad_value

I learned never use register_globals!!!

Interesting, mixed results from you two.

Would you use a script that required globals to be turned on?

[Join us @ facebook]

Interesting, mixed results from you two.

Would you use a script that required globals to be turned on?

There are many projects that use registered globals without causing troubles, eg. osCommerce requires them, and I never heared of any security problem with that piece of software.

In which script are you reffering to?

As you may already know, I have been supporting the efforts being made for a new directory script phpLynx .

It came up in discussion yesterday that globals must be turned on to use the script. The script owner and head programmer were talking to someone who couldn't get the script to work and didn't want to turn globals on to get the script to work. When I asked about it the programmer explained that some folks worry as it can be a security risk, but that the risk has been somewhat resolved with later versions of php. The site owner simply said there was no risk.

I thought I would ask over here and get a perhaps more unbiased opinion as so many here are php gurus.

[Free WordPress Themes]

As you may already know, I have been supporting the efforts being made for a new directory script phpLynx .

It came up in discussion yesterday that globals must be turned on to use the script. The script owner and head programmer were talking to someone who couldn't get the script to work and didn't want to turn globals on to get the script to work. When I asked about it the programmer explained that some folks worry as it can be a security risk, but that the risk has been somewhat resolved with later versions of php. The site owner simply said there was no risk.

I thought I would ask over here and get a perhaps more unbiased opinion as so many here are php gurus.

If the script is fine (secure code) there should not be a problem. But writing scripts for "register_globals = on" is for lazy people an brings up problems in may cases (f.e. split vars with the same key name coming from different global arrays like $_GET and$_ POST)

A lot of shared hosting provider don't support this feature (in this case you have to convert all vars like provided by Nick somewhere here)

[Join us @ facebook]

Look what's going on. When registered globals is on, every get variable (?var=....) will be inserted in the script as an internal variavle ($var) That caused problems in the past. I am not sure what those problems were (maybe buffer overflow, or changing predefined vars?) but I am sure that there  is no problem of using them. It is just olf fashioned as I said before.

And to be honest I still have sites that use registered globals (hope I wont get hacked for this )

BTW check this tutorial if you can't set registered globals on : http://www.webdigity.com/index.php?action=tutorial;code=39

[Free WordPress Themes]

Nick not only GET vars...

[Join us @ facebook]

Nick not only GET vars...

Right, $_GET and $_POST

So, would you recommend if using a script that has globals on (assuming provider allows this) that is should be hosted in a hosting account by itself? Or is it OK with other sites?

[Join us @ facebook]

I don't think you will have any problem in either case.

Just check the version of PhP that runs to your system. If it is 4.4.4 or higher you are fine for sure

You can check this with :

Code:

<?php
    phpinfo();
?>

[Free WordPress Themes]

Right, $_GET and $_POST

from the manual:
Whether or not to register the EGPCS (Environment, GET, POST, Cookie, Server) variables as global variables.

there is a complete page about this...

Perhaps the most controversial change in PHP is when the default value for the PHP directive register_globals went from ON to OFF in PHP » 4.2.0. Reliance on this directive was quite common and many people didn't even know it existed and assumed it's just how PHP works. This page will explain how one can write insecure code with this directive but keep in mind that the directive itself isn't insecure but rather it's the misuse of it.

When on, register_globals will inject (poison) your scripts will all sorts of variables, like request variables from HTML forms. This coupled with the fact that PHP doesn't require variable initialization means writing insecure code is that much easier. It was a difficult decision, but the PHP community decided to disable this directive by default. When on, people use variables yet really don't know for sure where they come from and can only assume. Internal variables that are defined in the script itself get mixed up with request data sent by users and disabling register_globals changes this. Let's demonstrate with an example misuse of register_globals:

http://www.php.net/manual/en/security.globals.php

[Guest]

[37.728]

Googlebot, Yahoo crawler, Msnbot, Baidu Spider, Gigabot