My host can't/won't turn off register globals - should I worry?

bunner_bob

Apparently they're worried about all their users whose sites rely on register_globals = on. Perhaps they're using one php.ini file for all their users. Seems lame, but hey, they are only $8 a month.

All my php is written assuming globals are off, so each process is checking for if($POST['something']), if($GET['something']) or if($_SESSION['something']). Nothing sensitive (not much at all in fact) is being passed in URLs.

So how nervous do you think I should be?

matt_4013

If it's written using the $_POST style variables, then you wont have a problem. Register Globals is only a problem if you're using the global variables, because you can override them using URL strings, etc.

eg, you have something that checks if a form has been submitted in your page, but you're using register_globals.

if($submit) {

 // Do stuff with the form

}

If somebody accesses that page with http://myserver.com/myscript.php?submit=1

The condition will be true!

hope that helps,
Matt

bunner_bob

And fortunately all of my uses of $_GET are pretty innocuous, or are in the admin section of my site, which you need to be a registered admin to access.

Weedpacket

If memory serves, you can set/unset register_globals on a per-directory basis with an httpd.conf or .htaccess file.

If register_globals is still on then you really will have to be careful about initialising all your variables before using them, but then you already do this 🙂

ednark

dont' fret if you are careful about where you ask for them.

if your code is asking for them from specific places like GET and POST, then you don't need to worry about any exploits than are availble with globals on

Duey

Some would argue that is a good thing others may not, personally I like register_globals on because if I want to install a script say that doesnt user GET & POST i can use it. I think it is a hassel having it off no matter what anyone says.

ednark

true having to type GET POST all the time is is more of a hassle...

here is a bit of code i wrote to help with that actually... works with register_globals on or off

easy one liner that checks multiple places for a variable, and allows a default... im not trying to say this is the end-all-be-all of code, but my wrists have found this _very_useful when scripting

usage: if php knows about a variable called 'username' it will sure as h311 find it

$the_username = findVar('username');

/**
*   find a variable if it exists in specified location
*
*   looks in specified places, in specified order, to find the var. return a default if not found in specified places.
*       $username = findVar('username','SP','guest');
*       the above statement means: look for the varible named username in the Session, then the form POST, if not found in either place then set username to 'guest'
*
*   @param      $var_name - string, mandatory. The name of the variable to look for. ( for $var1 you send "var1" )
*   @param      $order - string, optional, default:'ECSPG', restriction: arbitrarily ordered subset of 'ECSPG'.
*               The order of places to look for the variable. First Come First Serve.
*               NOTE: this works in opposite order as the register_globals setting as defined in your php.ini
*               'ECSPG' =   look first for variable set in the local scope, than as environmental varibles if found, return it
*                           look for varibale in the cookie, if found there return it
*                           look for variable in the session, if found there return it
*                           look for variable in the form POST, if found there return it
*                           look for variable in the GET query, if found there return it
*                           if not found yet, return whatever $default is set to
*   @param      $default - mixed, optional, default:NULL. if not found anywhere with $order, set return this thing.
*
*   @return     mixed, the found variable or $defualt.
*/
function findVar( $var_name, $order=NULL, $default=NULL )
{
    if ( $order ===  NULL ) {
        $order = "ECSPGF";
    }

foreach ( range(0,(strlen($order)-1)) as $i ) {
    switch ( strtoupper($order{$i}) ) {
        case 'E':
             if ( isset($GLOBALS) && isset($GLOBALS[$var_name]) ) {
                return $GLOBALS[$var_name];
            } else if ( $result = getenv($var_name) ) {
                return $result;
            }
            break;

        case 'C':
            if ( isset($_COOKIE) && isset($_COOKIE[$var_name]) ) {
                return $_COOKIE[$var_name];
            } else if ( isset($HTTP_COOKIE_VARS) && isset($HTTP_COOKIE_VARS[$var_name]) ) {
                return $HTTP_COOKIE_VARS[$var_name];
            } else if ( isset($GLOBALS['HTTP_COOKIE_VARS']) && isset($GLOBALS['HTTP_COOKIE_VARS'][$var_name]) ) {
                return $GLOBALS['HTTP_COOKIE_VARS'][$var_name];
            }
            break;

        case 'S':
            if ( isset($_SESSION) && isset($_SESSION[$var_name]) ) {
                return $_SESSION[$var_name];
            } else if ( isset($HTTP_SESSION_VARS) && isset($HTTP_SESSION_VARS[$var_name]) ) {
                return $HTTP_SESSION_VARS[$var_name];
            } else if ( isset($GLOBALS['HTTP_SESSION_VARS']) && isset($GLOBALS['HTTP_SESSION_VARS'][$var_name]) ) {
                return $GLOBALS['HTTP_SESSION_VARS'][$var_name];
            }
            break;

        case 'P':
            if ( isset($_POST) && isset($_POST[$var_name]) ) {
                return $_POST[$var_name];
            } else if ( isset($HTTP_POST_VARS) && isset($HTTP_POST_VARS[$var_name]) ) {
                return $HTTP_POST_VARS[$var_name];
            } else if ( isset($GLOBALS['HTTP_POST_VARS']) && isset($GLOBALS['HTTP_POST_VARS'][$var_name]) ) {
                return $GLOBALS['HTTP_POST_VARS'][$var_name];
            }
            break;

        case 'G':
            if ( isset($_GET) && isset($_GET[$var_name]) ) {
                return $_GET[$var_name];
            } else if ( isset($HTTP_GET_VARS) && isset($HTTP_GET_VARS[$var_name]) ) {
                return $HTTP_GET_VARS[$var_name];
            } else if ( isset($GLOBALS['HTTP_GET_VARS']) && isset($GLOBALS['HTTP_GET_VARS'][$var_name]) ) {
                return $GLOBALS['HTTP_GET_VARS'][$var_name];
            }
            break;

        case 'F':
            if ( isset($_FILES) && isset($_FILES[$var_name]) ) {
                return $_FILES[$var_name];
            } else if ( isset($HTTP_POST_FILES) && isset($HTTP_POST_FILES[$var_name]) ) {
                return $HTTP_POST_FILES[$var_name];
            } else if ( isset($GLOBALS['HTTP_POST_FILES']) && isset($GLOBALS['HTTP_POST_FILES'][$var_name]) ) {
                return $GLOBALS['HTTP_POST_FILES'][$var_name];
            }
            break;

    }
}

return $default;
}

Duey

i like it